US6453419B1 - System and method for implementing a security policy - Google Patents
System and method for implementing a security policy Download PDFInfo
- Publication number
- US6453419B1 US6453419B1 US09/040,827 US4082798A US6453419B1 US 6453419 B1 US6453419 B1 US 6453419B1 US 4082798 A US4082798 A US 4082798A US 6453419 B1 US6453419 B1 US 6453419B1
- Authority
- US
- United States
- Prior art keywords
- node
- access
- decision
- service
- scc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Definitions
- the present invention is related to computer network security, and more particularly to a system and method for representing and implementing a security policy.
- a firewall is a system which enforces a security policy on communication traffic entering and leaving an internal network.
- An overview of firewall technology is provided in “Firewalls fend off invasions from the Net” published February 1998 in IEEE Spectrum , the discussion of which is hereby incorporated by reference.
- Access Control Lists are a very important part of a firewall design. These lists are used to both restrict access to servers and to define the required filters for those services. Almost every connection to or through the firewall will use the ACL to determine whether the connection is allowed and what the conditions of the connections are.
- BFS BorderWareTM Firewall Server
- Both Sidewinder and BorderWare have an ACL mechanism.
- BFS BorderWareTM Firewall Server
- the ACL checks are performed in the kernel. The advantage of this is that each process can access the data even from its own chroot( 2 ) area. Each process simply does a system call. There is no place in BFS' ACL system calls to block and the code required in the proxies/servers is easy to implement and is unobtrusive.
- the ACLs themselves, however, are very difficult for the user to understand. The end result is a nice mechanism that is difficult to use.
- ACLd On Sidewinder there is a process called ACLd which resolves the ACL checks.
- ACLd In order to make the ACLs work properly, ACLd is a non-blocking process. Proxies must open a connection to ACLd, make the request, and come back later to get the result. Thus, the ACL part of the proxy code itself is more complex and pervasive. Further, ACLd can be a bottleneck since that one process is serving many other processes. Sidewinder can, however, support a much more flexible and comprehensive ACL system than is found on BFS.
- ACLs are a convenient, centrally located, way of storing access control rules, they do tend to become complex as the number of networks and users increase. This increased complexity makes them cumbersome and unwieldy to apply, and difficult to manage. Rules get out of date, often leaving dangerous access rules in place for users who no longer are supposed to have access to the system (e.g., ex-employees).
- What is needed is a method of presenting and managing access control rules which can easily respond to changes in the number of networks and users.
- the present invention is a system and method of implementing a security policy, comprising the steps of providing a plurality of access policies, defining a process and connecting the access policies and the process to form a security policy.
- an access control mechanism in a computer network having a plurality of separate networks.
- the access control mechanism includes a plurality of regions, including a first and a second region, one or more services bridging said first and second region, access control rules which define a security policy, wherein the access control rules limit data transfer by the one or more services bridging the first and second regions, wherein the access control rules are defined as a decision tree, wherein the decision tree includes a decision node and a first and a second branch and wherein the decision node includes a true and a false destination path, wherein the true destination path leads to the first branch and the false destination path leads to the second branch and access control logic, wherein the access control logic operates with the access control rules to enforce the security policy.
- a system and method for limiting transfers between networks comprises the steps of defining a to-from set, wherein the to-from set lists a source network and a destination network, associating the to-from set with the first service, defining a path, wherein the path includes desired options for limiting transfer from the source network to the destination network via the first service, storing information regarding the to-from set, the first service and the path as an access control rule, receiving a request to set up said first service between the source network and the destination network, comparing the request to the access control rule to determine access and, if access is allowed, establishing the service between the source and destination networks.
- FIGS. 1 a and 1 b illustrate two representative firewall-protected computing systems
- FIGS. 2 and 3 show other firewall-protected computing systems
- FIGS. 4 and 5 shows access control rules
- FIGS. 6 a - 6 d , 7 and 8 show how an access control rule is built in an graphical user interface (GUI) system.
- GUI graphical user interface
- FIGS. 1 a and 1 b Two representative firewall-protected computing systems are shown in FIGS. 1 a and 1 b .
- System 10 in FIG. 1 a includes an internal network 12 connected through firewall 14 to external network 16 .
- a server 18 and one or more workstations 20 are connected to internal network 12 and communicate through firewall 14 with servers or workstations on external network 16 .
- System 30 in FIG. 1 b includes an internal network 32 connected through firewall 34 to external network 36 .
- a server 38 and one or more workstations 40 are connected to internal network 32 .
- a server 42 is connected through network 44 to firewall 34 .
- Workstations 40 communicate through firewall 14 with servers or workstations on external network 16 and with server 42 on network 44 .
- network 44 and server 42 are in a demilitarized zone (DMZ) providing protected access to server 42 to internal users and to external entities.
- DMZ demilitarized zone
- firewalls 14 and 34 implement a region-based security system as will be discussed below.
- Regions are a new and flexible way of organizing systems such as systems 10 and 30 . Regions let you group both physical interfaces (network cards) and Virtual Private Networks (VPNs) into areas of similar trust and security needs. Regions (along with services) provide the foundation on which every access rule is built. By grouping together networks and VPNs that require the same type of security, you eliminate the need to enter multiple versions of the same access rule for each network or VPN. In doing so, regions give you the flexibility to tailor a security policy that meets the specific needs of your network environment. A discussion of the use of regions to define a security policy is explained in greater detail by Reid et al. in “System and Method for Controlling Interactions Between Networks”, U.S. Patent Application No. Xx/xxxxxx, filed herewith, which discussion is hereby incorporated by reference.
- firewall 34 coordinates communication between internal network 32 (e.g., a company private network), external network 36 (e.g., the Internet) and DMZ network 44 (e.g., a secure server network). In one such embodiment, firewall 34 also controls virtual private network (VPN) communication between external entities and networks 32 and 44 .
- Regions are defined and one or more networks is assigned to each region.
- the regions are Sales Office, Worldwide Customer Service, Worldwide Sales, Secure ‘DMZ’ and R&D Network.
- R&D Network includes the trusted internal network. Sales Office and Secure ‘DMZ’ are within slightly less trusted regions. Worldwide Customer Service and Worldwide Sales come in unencrypted over the Internet and are, therefore, the least trusted.
- Firewall 34 protects regions from unauthorized access through the use of access rules. For each connection attempt, the Firewall checks it against the defined access rules. The rule that matches the characteristics of the connection request is used to determine whether the connection should be allowed or denied.
- ACLs are the heart and soul of firewall 34 .
- the firewall checks the ACLs for permissions on use and for constraints for the connection. Constraints can include: encryption requirements, authentication requirements, time of day restrictions, concurrent sessions restrictions, connection redirection, address or host name restrictions, user restrictions and so forth.
- access rules are created in a completely new way—using decision trees.
- an access rule is based on a series of decisions made about a connection.
- Such an embodiment therefore lets you build an access rule based on “nodes” of decision criteria. You can add a node to check for such criteria as the time of day, whether the connection uses the appropriate authentication or encryption, the user or groups initiating the connection request or the IP address or host of the connection. Each node is compared against an incoming connection request and you determine whether the connection is allowed or denied based on the results of the node comparison.
- One such access rule decision tree is shown for illustration in FIG. 4 .
- the access rule is shown as a decision tree with special kinds of nodes which make true or false decisions. Each decision leads to a branch which contains more nodes.
- filters can be acquired. These filters are not processed by the kernel with the exception of redirects (rewrite destination address and/or port).
- ACLs consist of all the required kernel code. This is all the code that implements the rules themselves in the kernel including: building, modifying, deleting, and querying the rules. Also included are the system calls that the user level programs need to use the ACLs. The parsing of the return values, especially the filters are not part of the ACLs themselves since the filter rules are defined dynamically by the programs issuing the system calls to build the ACLs. In such an embodiment, the kernel should be flexible enough to handle all the filter requirements without needing modifications for future enhancements.
- every access rule must consist of two specific nodes.
- the first, Services node 60 decides which service(s) the rule will control.
- the second, From/To node 62 determines the source region and destination region of the connection. Once you establish the services and regions for the rule, you then can add more nodes to determine specific details about the connection.
- the simplest access rule contains service node 60 and from/to node 62 and then a terminal node 64 or 66 . (In the embodiment shown in FIG. 4, the terminal nodes are Allow 64 and Deny 66 .)
- the approach illustrated in FIG. 4 introduces a new way to control network access.
- the Firewall presents access rules as visual decision tree diagrams. Each diagram contains building blocks or nodes of information that apply a condition to or make a decision about the connection. At any point, you can add alerts to indicate when a particular point in an access rule has been reached or filters to check for authentication, encryption, WWW blocking or FTP commands.
- the Firewall determines whether the connection is true or false. If the connection meets the criteria listed in the node, the connection is considered true and proceeds along a “true” branch. If the connection does not meet the node criteria, the connection is considered false and proceeds along a “false” branch.
- Time of day decision node 68 and user/group decision node 70 are shown in FIG. 4 .
- Filters differ from decision nodes in that they do not determine if a connection is true or false. Instead, filters attempt to apply a condition to the connection. If the filter can be applied to the connection, the filter is performed and the connection proceeds along the same path. If the filter does not apply to the connection, the filter is ignored and the connection still proceeds.
- filter node 72 can force user authentication or encryption, can use filters to block particular WWW connections, or can filter the connection to see if it contains Java or ActiveX content.
- a rewrite node is a point in an access rule where source or destination addresses are mapped to other source or destination addresses.
- Destination IP address rewrites allow an inbound connection through NAT address hiding to be remapped to a destination inside the NAT barrier.
- Source address rewrites can be used on outbound connections to make the source appear to be one of many external addresses. This process allows the internal hosts to be aliased to external addresses. In one embodiment, rewrites can be based on any connection criteria, including users.
- connection request When a connection request reaches a node in a rule, it is checked against the information in the node. If the connection is a filter node 72 , the filter condition is either applied or ignored. Only one branch leads out of a filter node. If the node happens to be a decision node, there are two possible results. If the connection meets the criteria listed, it is considered true and follows the “true” branch of the access rule. Otherwise, the connection is considered “false” and follows the false branch.
- connection if at node 70 . 1 , the connection was initiated by a user or group listed in this node, the connection proceeds down the true path. If the connection was not initiated by the users or groups listed, then the connection proceeds to the right along the false path.
- true and false branches allows you to tailor your access rule to be as simple or complex as you need.
- rule 61 manages HTTP and SSL connections over the Internet.
- Rule 61 shows from/to nodes 62 . 1 and 62 . 2 .
- Node 62 . 1 defines what happens to traffic received from the Internet.
- Node 62 . 2 defines what happens to traffic directed from internal network 32 toward Internet 36 .
- rewrite node 74 If the traffic is received from Internet 36 , the kernel applies rewrite node 74 .
- rewrite node 74 would, for instance, redirect connections to the public access servers on Secure Server Network 42 .
- a more complex rule is applied.
- a check is made for time of day. One example would be to restrict outbound access to certain business hours. If the result is “TRUE” (e.g., access is only permitted during non-business hours and it is currently non-business hours), control moves to Allow node 64 . 1 and the access is allowed.
- control moves to authentication node 76 and the user is authenticated. Authentication may be as simple as a password or could require, for example, the use of a token card. Control then moves to node 70 , where a decision is made based on the authenticated user. In one example, if at 70 the authenticated user is determined to be management, control moves to node 64 . 2 and access is allowed. If, however, the result is “FALSE”, control moves to node 78 and a check a URL blocking filter (such as SmartFilter from Secure Computing Corporation) is applied. If the results of the URL blocking filter are to allow access, control moves to node 64 . 3 . If not, control moves to alert node 80 and an alert message is sent, for instance, to the System Administrator.
- a URL blocking filter such as SmartFilter from Secure Computing Corporation
- the ACLs described above combine the services themselves, the regions that the services bridge, and the access control decisions.
- the user draws a graph which starts with a service and a to-from set.
- the user creates a path consisting of the desired options which can include: time, session counts, authentication, encryption, users/groups, WWW filters, ftp filters, email filters, destination address re-writes, to addresses and from addresses.
- the user is building a decision tree.
- some of the decision nodes in the tree have two paths from them to the next node (a true path and a false path) and some just have one path.
- the nodes that have one path are nodes which provide filtering, logging, or address rewrites. No decisions are made on filtering since filtering is performed in user level code. (For example, to make the implementation easier, the kernel will not try to implement SmartFilter. Instead, the result of the ACL check will be to provide a response which notes SmartFilter should be applied and supplies the categories which are to be blocked. The proxy will allow the connection provided that the SmartFilter check allows the connection.)
- each node in the decision tree can be one of two types of node.
- the first type is a decision node.
- the second type of node is a filter node.
- a decision node is one where the decision regarding the action to perform is done in the kernel. To the user, on the GUI, it means that they can have a true branch and a false branch. This node is implemented in user space in the service itself.
- a filter node is implemented in user space in the service itself.
- the service will ignore filters which do not apply to it. To the user, on the GUI, it means that they can only have a true branch.
- the false branch is always a deny service.
- the scc_decision_node is a union structure that looks like this:
- node_type is one of:
- the node_type indicates if a permit or deny is to be used.
- subrule_ptr is to implement the rule within a rule requirement of the GUI.
- the node_descriptor is a character string which describes this particular node. There is no set definition for this description so the backend is free to enumerate nodes as it wishes and the GUI/backend can use node descriptors to glue together messages from the audit stream to trace through what is happening in the decision process. Also we use the node descriptor as an index into a the node table. This table has as entries a pointer to each node for fast node lookup.
- node_has_been_deleted flag is set. If at any point in a ACL check we come across such a node we issue a deny. We use the reference_count to determine if we actually delete the node. Only when the reference count is zero do we actually free up the memory.
- the debug_node flag can be set to do various things as will be discussed below.
- loop_check flag We use the loop_check flag to prevent loops in the ACLs causing us to recurse forever. We set this flag to true when we enter this node for checking and after checking the children to the end we reset the value to false. If while checking the children we encounter a loop flag set to true we know we have reached cycle in the tree.
- Services node 60 and regions node 62 are special decision node which anchor the decision tree. This allows for quick indexing by service number. To do this, there will be an array of pointers (scc_service_array) indexed by the service number. The pointers point to and array of regions used by that service. There will be a variable max_service_number which the kernel will maintain to use as a guild line for indexing into the service array.
- scc_service_array Each entry in the scc_service_array will be a structure as follows:
- Each service should have a unique number but this will not be implemented in the kernel. Rather, the kernel will be given a service number and the kernel will allocate a bucket for that service. The kernel will be unconcerned about which service this bucket actually belongs to. Note that the scc_service_rec is not a part of the scc_decision_node listed above.
- the user decision node is used to make decisions specific to users or groups of users. This structure is simple and goes like this:
- the proxy would need to query for a user name and call again with that information.
- the IP Addresses/Host Names decision node is used to make decisions that select for/against source or destination addresses or host names.
- rafael.tor.securecomputing.com would be moc.gnitupmoceruces.rot.leafar. These are then put into sorted order. This allows the kernel to quickly process wild card entries. It is also important that unneeded entries are not loaded into the kernel. For example if the user has specified *. com, then no other entries of the form .com should be present in the list passed to the kernel.
- the Maximum Concurrent Sessions decision node provides the ability to put a choke on the number of concurrent sessions on a service or group of services. We want to have the ability to program a counter to be shared among all the services on this path, or to have the counter count for each service individually.
- service_specific_flag can have values:
- the shared count record is used. Otherwise, the array is used. Note the size of the array is stored in num_services and the array is indexed as:
- the scc_detail_count_rec is:
- the node_has_been_deleted tells a process that is going to decrement the counter whether this node is being used or not. If set to false, then the record is in use and increments or decrements are done accordingly. If set to true, then when the count gets decremented to zero, the memory is freed up and the parent's reference counter is decremented. If the parent has been deleted and if the reference counter is set to zero then the parent node is freed.
- the node_has_been_deleted flag in the detailed record, gets set to true (i.e. not zero) when the node itself goes away (the user has removed it from the diagram) or if the counter is switched from individual to shared service counts. Note that each counter is indexed by to region and from region so that the count is unique on a service-from region-to region triplet.
- the parent_record pointer points back to the top level scc_decision_node.
- the service_number is there so that we can index into the service_counters array and set the array pointer to NULL when we are preparing to free up memory.
- the Time/Date decision node provides the ability to use date and time as a means of restricting access to services.
- the structures look like this:
- the scc_date_rec is the top level structure and it has number_details separate date rules. Each of those rules are in a scc_date_detail_rec. So, we have an array of structures in scc_date_rec each of which has a start seconds and an end seconds value. Each value is relative to the beginning of Sunday. Thus, start second 0 and end second 1 would be allowing the connection only during the first second of Sunday.
- the backend must provide the records in sorted order by start_second.
- a time and date decision is based on a series of time rules. We simply check the current time and day against each rule. If we find a rule where the current time and day falls in that rule, then the decision is the true path otherwise it is the false path.
- a rule to be a complete rule, a rule must consist of at least a Services node 60 and a Region node 62 and have all true and false branches terminated by terminal nodes 64 or 66 . If you plan to use a segment of a particular rule in more than one rule, you can create a partial rule. Partial, or shared, rules can be added to any complete rule.
- complete or partial access rules can be configured using a graphical user interface such as is shown in FIGS. 4 and 5.
- a graphical user interface such as is shown in FIGS. 4 and 5.
- a rule is simply a chain of decision nodes. After the chain of rules is completed, the decision path at the entry point to the sub-rule is taken based on the outcome of the rule. The filters and audit messages within the rule are still generated and accumulated.
- Log nodes direct the kernel to log messages to the audit subsystem.
- the backend can fully specify the message to log.
- the structure is as follows:
- filters are just strings which the proxy interprets to perform it's filtering.
- the kernel does none of the decision work. Instead, the kernel is given a pattern, and if the node is reached and if there is some data for the decision made at that node, then the pattern is accumulated as a filter. All of the filters are accumulated by the kernel, concatenated together and returned to the proxy as part of the system call. In such an embodiment, the kernel requires no work to implement filters beyond the re-writing of addresses.
- a filter structure contains all the relevant filter data. The following shows the data and explains its use:
- filter_string_length is zero, then there are no filters otherwise, this filter string is appended to the array passed in, in the ACL call by the service.
- the filters are as follows: encryption, authentication,
- the encryption filter requires that a connection is encrypted with a certain level of encryption. It will be up to the user level process to verify that the requirements of the filter are met. If the requirements are not met the action is to deny the connection.
- the authentication filter requires that a connection is authenticated.
- One or more possible methods of authentication can be specified. This would only apply to those protocols that allow for a user name as part of the protocol. Currently this would be: ftp, telnet, and WWW.
- SmartFilter can be used as described above.
- a WWW filter may block Java or ActiveX scripts.
- the SmartFilter filter can also specify which policy to use (for sites that define multiple policies). These are performed by the caching WWW proxy only.
- One such embodiment also includes cookie blocking.
- FTP Filters there are a number of possible FTP Filters. These include filtering on: GET, PUT, PASV, PORT, MKDIR, RMDIR, RENAME, DELETE, SITE, filtering on file size and filtering anonymous ftp. All filtering must be done by the proxy or server.
- Redirect nodes act like filters since they only have one path out of them.
- Redirects are tables which map source or destination addresses to other source or destination addresses. Currently we only map destination addresses. The most obvious use of redirects are to map connections coming into the firewall from the insecure side of a NAT region pair to a secure machine. In this case, the connecting host cannot see the hosts behind the firewall. The redirects will map a connection coming to a given firewall address (could be one of many because of MAT) to the desired secure host. The kernel will only accept addresses (the UI can accept names providing it translates them to an address).
- the tables whose structure is described below, will contain an entry for each MAT address that applies.
- redirects Another use of redirects is to map an address going from a region which can see all the hosts in the destination region. In this case, the redirect has only one entry which maps the address and port to the given address and port.
- the final case is one where we might not know which of the above two apply. In that case, all possible MAT addresses might be present and a global rule in the case that the connection is not to the Firewall itself, is also present. This final case happens when you are using a redirect from a rule within a rule.
- the structure for the redirect table is as follows:
- the node_type is one of:
- the redirect mapping goes as follows:
- a port number of 0 means any port and an address of 0.0.0.0 means any address.
- One embodiment supports netmasks in the kernel. Such an embodiment masks the address to check with the netmask and check to see if it is the same as the check_addr. If so (and providing there is a port match) we have a match. Thus the check_addr and the netmask must match.
- MAT nodes that handle MAT address on a single region interface.
- the GUI system allows the user to configure different behaviors depending on which address the connection came to the firewall on. To handle this the backend needs to put a MAT node as the node the service points to for those regions that have MATs. For example, if the user enables a service From “region 1 ” to To “Firewall via address a”, then a MAT node is needed. We only need MAT nodes for the firewall region provided that MAT has been defined for the firewall in that region.
- a hash table that stores pointers to the decision nodes.
- the hash table consists of pointers to linked lists. The string is hashed to a bucket in the table and each bucket is the start of a linked list. A node when added to the table, the table is checked to see if the name is unique by looking at the string in the linked list that the string hashes to. If it is unique, then the node is added to the front of the hash table and if the node is already present, an EEXIST error is returned.
- the hashing algorithm used is the sum of the characters in the name modulo the size of the table.
- the table is static in size and is set to ACL_HASH_TABLE_SIZE (i.e. 200 buckets).
- scc_hash_init function which is called by scc_acl_init.
- the size of the hash table is stored in scc_d_node_hash_size and the table itself is stored in scc_d_node_table.
- Counters need to be kept consistent (i.e. correct) even when a process that holds a connection dies. There are several ways to do this.
- the current approach is to use the proc structure of the process making the system call. A new field will be added to keep track of each counter used by that process and the number of concurrent uses of the counter. When the process dies, then the exit 1 code in the kernel will go through and clear the counters and free the proc space.
- node_has_been_deleted flag This flag is part of every counter and is set to true (i.e. not zero) if the counter is no longer in use and zero otherwise. If a process decrements a current count to zero and if the flag is set to true, then the memory is freed since no process is using that memory. If a flag is set to true and the current count is already zero, then the memory is freed up immediately.
- the entry in the proc structure is: scc_ACL_cell *scc_ACL_head; Each cell in this linked list is as follows:
- connection id passed back to the proxy will be the actual pointer to the scc_ACL_cell.
- the proxy does its free, we can very easily free up the counter space, free the memory, and re-attach the linked list of connection information.
- the proxy will make two calls to the ACLs.
- the first call is:
- the possible return values are:
- service_number this is a number that the backend decides and is unique per service or possibly per service, from and to region triplet as desired.
- src_ip this is the source IP address of the connection.
- dst_ip this is the destination IP address of the connection.
- src_host_name this is the host name based on the reverse lookup of the source address of the connection. This is generally only used when the kernel explicitly asks for it by returning from a previous call to ssc_is_service_allowed with a return value of ACL_RESOLVE_SRC_ADDR.
- dst_host_name this is the host name based on the reverse lookup of the destination address of the connection. This is generally only used when the kernel explicitly asks for it by returning from a previous call to scc_is_service_allowed with a return value of ACL_RESOLVE_DST_ADDR.
- user_name this is the user name of the person using the service. This value is only used when ACL_NEED_USER_NAME has been returned by the kernel. Use NULL, if the name has not yet been requested. Currently only FTP, telnet and WWW support user names.
- name_valid this tells the ACLs whether or not a user name makes any sense for this protocol. If the name_valid flag is set to TRUE, then user decision nodes will be used (and thus a user name will be required if a user decision node is encountered when checking the ACL). If set to false, then the user decision nodes will be ignored and the true path of those nodes encountered when checking the ACL will be used.
- to_region the region number that the destination address of this connection is in.
- filter_text_len this is a pointer to an integer which has the length of the filter_text array in it. This value will be set to the amount of data returned by the access call on return. If the return value is ACL_NEED_MORE_FILTER_SPACE, then the value in this variable will contain the amount of space required.
- filter_text this is an array of characters of size filter_text_len which will be used to store the concatenated filter strings accumulated while checking the ACLs.
- rule_name_len this is the size of the array rule_name.
- rule_name this is the name of the rule that allowed or denied the connection. Only a maximum of rule_name_len—1 characters will be stored in there.
- redirect_dst_addr_port this is the address and port to redirect this connection to.
- the system will set this to all zeroes if it is not in use.
- the port and address will always both be set together in this structure if it is to be used. Only the sin_port and sin_addr part of the structure will be used.
- redirect_src_addr_port this is used to indicate to the firewall that when making the connection from the firewall to the destination, it should use the source address/port provided. Note that unlike the redirect_dst_addr_port field only the parts of the address required will be filled out. In particular, if the port is specified but not the address then the address field will be zero. Similarly, if the address is specified but not the port, then the port will be zero. For the redirect_dst_addr_port, if one or both field are specified then they are both returned (with the unspecified field left the same as the actual destination).
- master_key this is the key that indicates which items have been licensed on the firewall.
- connection_id this is the connection id for this connection.
- connection_id this is the connection id for this connection.
- the user name will be used by the system to get the groups automatically behind the scenes in the library call. This means that the actual call to the kernel will have more fields. In particular, there will be a list of group names and a counter to indicate how many elements are in the list.
- the second call will be:
- proxies have to recheck their connections to see if they can still make the connection. This is done as follows:
- connection_id is passed in as a parameter not a return value.
- proxies should recheck services in order of lowest priority to highest priority (typically by checking the oldest sessions first, when that is possible). Note that short-lived proxies and servers started by secured cannot guarantee the order in which ACLs will be rechecked, since they will all get a HUP signal at the same time.
- the backend is able to add, change, delete decision nodes. It also is able to insert new nodes into the tree. In such an embodiment, the following functions are provided to allow this to be done efficiently. All backend calls return 0 for success and ⁇ 1 for failure. Later, errno will be used to determine what went wrong.
- the Adding New and Updating Nodes call is used to add or update a node.
- the same call is used to add a new node or update a node. If the node_descriptor is unique, then it is a new node, otherwise update the node. In both cases, the values must all be completely filled out.
- rafael.tor.securecomputing.com would be moc.gnitupmoceruces.rot.leafar. These are then put into sorted order. This allows the kernel to quickly process wild card entries. It is also important that unneeded entries are not loaded into the kernel. For example if the user has specified *. com, then no other entries of the form .com should be present in the list passed to the kernel.
- date records must be in sorted order using start_seconds as the key to sort on.
- date_entries field is an array of structs.
- the two arrays must be in sync (i.e. the first MAT address uses the first decision node in the node descriptors array).
- ENOMEM happens when the kernel is out of memory.
- ENOENT happens when the node descriptor specified does not exist.
- EINVAL happens when an invalid argument is provided to a system call.
- One example is if a NULL true_child_node_descriptor is passed in as an argument.
- the service nodes are different from the other nodes.
- the reference is the service number not the node descriptor.
- the node descriptor is there for audit purposes and should be the name of the ACL rule. If a debug value is set here then debugging is turned on recursively down the tree.
- the descriptor to use for the allow terminating node is the string _SCC_ALLOW.
- the string _SCC_DENY For all nodes, the descriptor to use for the allow terminating node is the string _SCC_ALLOW.
- the string _SCC_DENY For the deny connection terminating node, use the string _SCC_DENY.
- Nodes are linked in the same system call that they are built or updated from. Those nodes which only have one path through them only have one potential node leaving them.
- a child node can either be, a descriptor of an existing node, the string _SCC_ALLOW, or the string _SCC_DENY.
- _SCC_ALLOW and _SCC_DENY are the accept and deny terminals of the tree respectively and otherwise the child is another scc_decision_node.
- the system will only delete nodes when the reference count to that node is zero. All deleted nodes will be removed from the decision node table when the system call is made though.
- the ACLs keep track of service counts for all services that use them.
- the counts are by service number, from region, to region triplet. Because we do not know before hand how many services there will be we implement this function in a two call method.
- a system call which could be used is as follows:
- the calltype can be one of:
- this system call sets the value of count_size to be the number of elements that need to be allocated in the counts array;
- Each entry in the counts array is defined as follows:
- FIGS. 6 a - 6 d An example of how a decision tree could be built in a graphical environment is shown in FIGS. 6 a - 6 d .
- square icon 102 is a decision node which checks a connection request to determine if the request is accessing permitted IP addresses or hosts. If so, control moves to Allow node 104 . If not, control moves to Deny node 106 .
- the system administrator adds user authentication filter 108 to the “TRUE” path from node 102 .
- this will cause the kernel to return a conditional allowance which will require the proxy to perform the level of user authentication required by filter 108 .
- a user/group decision node 110 is added between the IP address check and the user authentication check.
- the access rule will therefore execute in that order. Failure of the connection request to meet the required user/group decision criteria leads to Deny node 112 .
- SmartFilter filter 114 and FTP filter 116 replace Deny node 112 in FIG. 6 c .
- the connection is allowed at Allow node 118 . Otherwise the connection which traces down this path is denied.
- FIG. 7 Another access control rule embodiment is shown in FIG. 7 .
- a second user/group decision node 120 is placed between node 110 and Deny node 112 .
- a second user/group check is made. If the decision at node 120 is “TRUE”, an FTP filter 122 is returned to the proxy and, if the FTP filter permits, the connection is allowed. If, however, the decision at node 120 is “FALSE”, control moves to Deny node 112 and the connection is denied.
- FIG. 8 Yet another access control rule embodiment is shown in FIG. 8 .
- the access control rule of FIG. 7 is further embelished to add additional checking to the “FALSE” path leading out of decision node 102 .
- a SmartFilter filter 126 and a Maximum Concurrent filter 128 are applied. If the filters are not passed, control moves to Deny node 106 and the connection is denied. If, however, the two filters are passed, control moves to rewrite node 130 . If the rewrite can be completed according to its criteria, control moves to Allow node 132 and the connection is allowed. Otherwise, control moves to Deny node 134 and the connection is denied.
- hooks are provided to allow testing of each decision node type.
- the abilities to query the node and to check its values (for the ones that can change) are also provided.
- the ability to get a complete description of all the ACLs from the kernel including the values of all the fields are also be provided.
- Testing must include fully exercising the system calls. Building trees, changing nodes and thresholds must be carefully tested. Some of the testing hooks should make this work. Testing things like killing proxies using the kill command and making sure all relevant counts get decrement should also be checked.
- firewall 34 should include a mode where the kernel will log how long was spent in each node.
- the ACLs themselves must satisfy the requirements laid out by the decision tree. This dictates to a large degree how the rules must be implemented. Since the user has no direct access to the ACLs (rather they use the user interface), there are no ease of use concerns here except to say that the ACLs must be something the developers can work with easily. In particular, there must be a good set of tools to debug the ACLs.
- the ACLs are the heart and brains of the access policy of the firewall. Thus it is important that failures, i.e. errors, result in denial of a service rather than allowing the service. This means all incomplete paths and invalid data will be equivalent to denying the connection.
- a system and method of presenting and managing access control rules which can easily respond to changes in the number of networks and users has been described.
- the system results in an ACL mechanism which provides quick access to the ACL mechanism while at the same time maintaining a straightforward representation of complex functionality.
Abstract
Description
Claims (8)
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/040,827 US6453419B1 (en) | 1998-03-18 | 1998-03-18 | System and method for implementing a security policy |
EP99912688A EP1062785A2 (en) | 1998-03-18 | 1999-03-18 | System and method for controlling interactions between networks |
PCT/US1999/005991 WO1999048261A2 (en) | 1998-03-18 | 1999-03-18 | System and method for controlling interactions between networks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/040,827 US6453419B1 (en) | 1998-03-18 | 1998-03-18 | System and method for implementing a security policy |
Publications (1)
Publication Number | Publication Date |
---|---|
US6453419B1 true US6453419B1 (en) | 2002-09-17 |
Family
ID=21913194
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/040,827 Expired - Lifetime US6453419B1 (en) | 1998-03-18 | 1998-03-18 | System and method for implementing a security policy |
Country Status (1)
Country | Link |
---|---|
US (1) | US6453419B1 (en) |
Cited By (140)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010042202A1 (en) * | 2000-04-14 | 2001-11-15 | Horvath Charles J. | Dynamically extendible firewall |
US20010042213A1 (en) * | 2000-05-15 | 2001-11-15 | Brian Jemes | System and method for implementing network security policies on a common network infrastructure |
US20020078377A1 (en) * | 2000-12-15 | 2002-06-20 | Ching-Jye Chang | Method and apparatus in an application framework system for providing a port and network hardware resource firewall for distributed applications |
US20020078231A1 (en) * | 2000-12-15 | 2002-06-20 | Ibm Corporation | Simplified network packet analyzer for distributed packet snooper |
US20020154635A1 (en) * | 2001-04-23 | 2002-10-24 | Sun Microsystems, Inc. | System and method for extending private networks onto public infrastructure using supernets |
US20020173981A1 (en) * | 2001-05-18 | 2002-11-21 | Stewart Brett B. | Domain place registration system and method for registering for geographic based services |
US20020178365A1 (en) * | 2001-05-24 | 2002-11-28 | Shingo Yamaguchi | Method and system for controlling access to network resources based on connection security |
US20020178271A1 (en) * | 2000-11-20 | 2002-11-28 | Graham Todd D. | Dynamic file access control and management |
US20030018913A1 (en) * | 2001-06-20 | 2003-01-23 | Brezak John E. | Methods and systems for controlling the scope of delegation of authentication credentials |
US20030065947A1 (en) * | 2001-10-01 | 2003-04-03 | Yu Song | Secure sharing of personal devices among different users |
US20030163577A1 (en) * | 2002-02-23 | 2003-08-28 | Se-Woong Moon | Security system for accessing virtual private network service in communication network and method thereof |
US20030177389A1 (en) * | 2002-03-06 | 2003-09-18 | Zone Labs, Inc. | System and methodology for security policy arbitration |
US20030208596A1 (en) * | 2002-05-01 | 2003-11-06 | Carolan Jason T. | System and method for delivering services over a network in a secure environment |
US6654792B1 (en) * | 2000-02-28 | 2003-11-25 | 3Com Corporation | Method and architecture for logical aggregation of multiple servers |
US20030233580A1 (en) * | 2002-05-29 | 2003-12-18 | Keeler James D. | Authorization and authentication of user access to a distributed network communication system with roaming features |
US20040054696A1 (en) * | 2002-09-13 | 2004-03-18 | Sheinis Joseph Igor | System and method for using proxies |
US20040054887A1 (en) * | 2002-09-12 | 2004-03-18 | International Business Machines Corporation | Method and system for selective email acceptance via encoded email identifiers |
WO2004023307A1 (en) * | 2002-09-06 | 2004-03-18 | O2Micro, Inc. | Vpn and firewall integrated system |
US20040073811A1 (en) * | 2002-10-15 | 2004-04-15 | Aleksey Sanin | Web service security filter |
US20040078591A1 (en) * | 2002-10-18 | 2004-04-22 | Zone Labs, Inc. | Security System And Methodology For Providing Indirect Access Control |
US20040107360A1 (en) * | 2002-12-02 | 2004-06-03 | Zone Labs, Inc. | System and Methodology for Policy Enforcement |
WO2004054198A3 (en) * | 2002-12-02 | 2004-07-22 | Arkoon Network Security | Access method and device for securing access to information systems |
US20040158720A1 (en) * | 1999-02-09 | 2004-08-12 | Secure Computing Corporation | Security framework for supporting kernel-based hypervisors within a computing system |
US20040167984A1 (en) * | 2001-07-06 | 2004-08-26 | Zone Labs, Inc. | System Providing Methodology for Access Control with Cooperative Enforcement |
US20040181602A1 (en) * | 2003-03-11 | 2004-09-16 | Fink Ian M. | Method and system for providing network access and services using access codes |
US20040193907A1 (en) * | 2003-03-28 | 2004-09-30 | Joseph Patanella | Methods and systems for assessing and advising on electronic compliance |
US20040199763A1 (en) * | 2003-04-01 | 2004-10-07 | Zone Labs, Inc. | Security System with Methodology for Interprocess Communication Control |
US6816901B1 (en) | 1999-05-06 | 2004-11-09 | Cisco Technology, Inc. | Proxy session count limitation |
WO2004097584A2 (en) * | 2003-04-28 | 2004-11-11 | P.G.I. Solutions Llc | Method and system for remote network security management |
US20040230791A1 (en) * | 1994-10-12 | 2004-11-18 | Secure Computing Corporation. | System and method for providing secure internetwork services via an assured pipeline |
US20040236702A1 (en) * | 2003-05-21 | 2004-11-25 | Fink Ian M. | User fraud detection and prevention of access to a distributed network communication system |
US6826698B1 (en) * | 2000-09-15 | 2004-11-30 | Networks Associates Technology, Inc. | System, method and computer program product for rule based network security policies |
US20050005145A1 (en) * | 2003-07-02 | 2005-01-06 | Zone Labs, Inc. | System and Methodology Providing Information Lockbox |
US20050022030A1 (en) * | 1996-10-17 | 2005-01-27 | Wesinger Ralph E. | Virtual host for channel processing traffic traversing between a source and destination |
US20050021683A1 (en) * | 2003-03-27 | 2005-01-27 | Chris Newton | Method and apparatus for correlating network activity through visualizing network data |
US6857019B1 (en) | 1999-05-06 | 2005-02-15 | Cisco Technology, Inc. | Virtual private data network session count limitation |
US20050066229A1 (en) * | 2003-09-22 | 2005-03-24 | Jeyhan Karaoguz | Processor sharing between in-range devices |
US6880005B1 (en) * | 2000-03-31 | 2005-04-12 | Intel Corporation | Managing policy rules in a network |
GB2407464A (en) * | 2002-09-06 | 2005-04-27 | O2Micro Inc | VPN and firewall integrated system |
US6898717B1 (en) * | 2000-07-20 | 2005-05-24 | International Business Machines Corporation | Network domain with secured and unsecured servers |
US20050125697A1 (en) * | 2002-12-27 | 2005-06-09 | Fujitsu Limited | Device for checking firewall policy |
US6938169B1 (en) | 1999-12-10 | 2005-08-30 | Sun Microsystems, Inc. | Channel-specific file system views in a private network using a public-network infrastructure |
US20050229248A1 (en) * | 1996-02-06 | 2005-10-13 | Coley Christopher D | Method for transparently managing outbound traffic from an internal user of a private network destined for a public network |
US20050232165A1 (en) * | 2000-05-15 | 2005-10-20 | Brawn John M | System and method of aggregating discontiguous address ranges into addresses and masks using a plurality of repeating address blocks |
US20050261970A1 (en) * | 2004-05-21 | 2005-11-24 | Wayport, Inc. | Method for providing wireless services |
US6970814B1 (en) * | 2000-03-30 | 2005-11-29 | International Business Machines Corporation | Remote IP simulation modeling |
US6970941B1 (en) | 1999-12-10 | 2005-11-29 | Sun Microsystems, Inc. | System and method for separating addresses from the delivery scheme in a virtual private network |
US20050273841A1 (en) * | 2004-06-07 | 2005-12-08 | Check Point Software Technologies, Inc. | System and Methodology for Protecting New Computers by Applying a Preconfigured Security Update Policy |
US6977929B1 (en) | 1999-12-10 | 2005-12-20 | Sun Microsystems, Inc. | Method and system for facilitating relocation of devices on a network |
US20050283441A1 (en) * | 2004-06-21 | 2005-12-22 | Ipolicy Networks, Inc., A Delaware Corporation | Efficient policy change management in virtual private networks |
US20060050870A1 (en) * | 2004-07-29 | 2006-03-09 | Kimmel Gerald D | Information-centric security |
US7016980B1 (en) * | 2000-01-18 | 2006-03-21 | Lucent Technologies Inc. | Method and apparatus for analyzing one or more firewalls |
US20060064469A1 (en) * | 2004-09-23 | 2006-03-23 | Cisco Technology, Inc. | System and method for URL filtering in a firewall |
US20060094400A1 (en) * | 2003-02-28 | 2006-05-04 | Brent Beachem | System and method for filtering access points presented to a user and locking onto an access point |
US20060136390A1 (en) * | 2004-12-22 | 2006-06-22 | International Business Machines Corporation | Method and system for matching of complex nested objects by multilevel hashing |
US20060147043A1 (en) * | 2002-09-23 | 2006-07-06 | Credant Technologies, Inc. | Server, computer memory, and method to support security policy maintenance and distribution |
US7085936B1 (en) * | 1999-08-30 | 2006-08-01 | Symantec Corporation | System and method for using login correlations to detect intrusions |
US7096495B1 (en) * | 2000-03-31 | 2006-08-22 | Intel Corporation | Network session management |
US20060190984A1 (en) * | 2002-09-23 | 2006-08-24 | Credant Technologies, Inc. | Gatekeeper architecture/features to support security policy maintenance and distribution |
US20060209836A1 (en) * | 2001-03-30 | 2006-09-21 | Juniper Networks, Inc. | Internet security system |
US20060236363A1 (en) * | 2002-09-23 | 2006-10-19 | Credant Technologies, Inc. | Client architecture for portable device with security policies |
US20060242685A1 (en) * | 2002-09-23 | 2006-10-26 | Credant Technologies, Inc. | System and method for distribution of security policies for mobile devices |
US7131141B1 (en) * | 2001-07-27 | 2006-10-31 | At&T Corp. | Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network |
US20060288116A1 (en) * | 2005-05-31 | 2006-12-21 | Brother Kogyo Kabushiki Kaisha | Management System, and Communication Device and Data Processing Device Used in Such System |
WO2006137057A2 (en) * | 2005-06-21 | 2006-12-28 | Onigma Ltd. | A method and a system for providing comprehensive protection against leakage of sensitive information assets using host based agents, content- meta-data and rules-based policies |
US20070016945A1 (en) * | 2005-07-15 | 2007-01-18 | Microsoft Corporation | Automatically generating rules for connection security |
US20070086338A1 (en) * | 2005-10-17 | 2007-04-19 | Alcatel | Application layer ingress filtering |
US7324514B1 (en) | 2000-01-14 | 2008-01-29 | Cisco Technology, Inc. | Implementing access control lists using a balanced hash table of access control list binary comparison trees |
US7336790B1 (en) * | 1999-12-10 | 2008-02-26 | Sun Microsystems Inc. | Decoupling access control from key management in a network |
US7366919B1 (en) * | 2003-04-25 | 2008-04-29 | Symantec Corporation | Use of geo-location data for spam detection |
US20080109890A1 (en) * | 2006-11-03 | 2008-05-08 | Microsoft Corporation | Selective auto-revocation of firewall security settings |
US20080212222A1 (en) * | 2007-03-01 | 2008-09-04 | Stan Feather | Access control management |
US20080256646A1 (en) * | 2007-04-12 | 2008-10-16 | Microsoft Corporation | Managing Digital Rights in a Member-Based Domain Architecture |
US20080256592A1 (en) * | 2007-04-12 | 2008-10-16 | Microsoft Corporation | Managing Digital Rights for Multiple Assets in an Envelope |
US20090077245A1 (en) * | 2007-08-16 | 2009-03-19 | Vladimir Smelyansky | Client-To-Client Direct RTP Exchange In A Managed Client-Server Network |
US7512965B1 (en) * | 2000-04-19 | 2009-03-31 | Hewlett-Packard Development Company, L.P. | Computer system security service |
US20090125599A1 (en) * | 2007-11-12 | 2009-05-14 | Ricoh Company, Ltd. | Multifunctional input/output device |
US7577998B1 (en) * | 2001-11-16 | 2009-08-18 | Hewlett-Packard Development Company, L.P. | Method of detecting critical file changes |
US20090249436A1 (en) * | 2008-04-01 | 2009-10-01 | Microsoft Corporation | Centralized Enforcement of Name-Based Computer System Security Rules |
US7640590B1 (en) | 2004-12-21 | 2009-12-29 | Symantec Corporation | Presentation of network source and executable characteristics |
US20100054128A1 (en) * | 2008-08-29 | 2010-03-04 | O'hern William | Near Real-Time Alerting of IP Traffic Flow to Subscribers |
US20100138909A1 (en) * | 2002-09-06 | 2010-06-03 | O2Micro, Inc. | Vpn and firewall integrated system |
US20100138910A1 (en) * | 2008-12-03 | 2010-06-03 | Check Point Software Technologies, Ltd. | Methods for encrypted-traffic url filtering using address-mapping interception |
US7739494B1 (en) | 2003-04-25 | 2010-06-15 | Symantec Corporation | SSL validation and stripping using trustworthiness factors |
US20100161967A1 (en) * | 2003-01-09 | 2010-06-24 | Jericho Systems Corporation | Method and system for dynamically implementing an enterprise resource policy |
US7765581B1 (en) | 1999-12-10 | 2010-07-27 | Oracle America, Inc. | System and method for enabling scalable security in a virtual private network |
US7783765B2 (en) * | 2001-12-12 | 2010-08-24 | Hildebrand Hal S | System and method for providing distributed access control to secured documents |
US7827605B2 (en) | 1999-07-14 | 2010-11-02 | Symantec Corporation | System and method for preventing detection of a selected process running on a computer |
US7854005B2 (en) | 1999-07-14 | 2010-12-14 | Symantec Corporation | System and method for generating fictitious content for a computer |
US7861031B2 (en) | 2007-03-01 | 2010-12-28 | Hewlett-Packard Development Company, L.P. | Access control management |
US7913311B2 (en) | 2001-12-12 | 2011-03-22 | Rossmann Alain | Methods and systems for providing access control to electronic data |
US7921284B1 (en) | 2001-12-12 | 2011-04-05 | Gary Mark Kinghorn | Method and system for protecting electronic data in enterprise environment |
US7921288B1 (en) | 2001-12-12 | 2011-04-05 | Hildebrand Hal S | System and method for providing different levels of key security for controlling access to secured items |
US7930756B1 (en) | 2001-12-12 | 2011-04-19 | Crocker Steven Toye | Multi-level cryptographic transformations for securing digital assets |
US7950066B1 (en) | 2001-12-21 | 2011-05-24 | Guardian Data Storage, Llc | Method and system for restricting use of a clipboard application |
US7962358B1 (en) * | 2006-11-06 | 2011-06-14 | Sprint Communications Company L.P. | Integrated project and staffing management |
US8006280B1 (en) | 2001-12-12 | 2011-08-23 | Hildebrand Hal S | Security system for generating keys from access rules in a decentralized manner and methods therefor |
US20110238979A1 (en) * | 2010-03-23 | 2011-09-29 | Adventium Labs | Device for Preventing, Detecting and Responding to Security Threats |
US8065713B1 (en) | 2001-12-12 | 2011-11-22 | Klimenty Vainstein | System and method for providing multi-location access management to secured items |
CN101610264B (en) * | 2009-07-24 | 2011-12-07 | 深圳市永达电子股份有限公司 | Firewall system, safety service platform and firewall system management method |
KR101101085B1 (en) | 2003-07-30 | 2011-12-30 | 마이크로소프트 코포레이션 | Zoned based security administration for data items |
US8127366B2 (en) | 2003-09-30 | 2012-02-28 | Guardian Data Storage, Llc | Method and apparatus for transitioning between states of security policies used to secure electronic documents |
US8176334B2 (en) | 2002-09-30 | 2012-05-08 | Guardian Data Storage, Llc | Document security system that permits external users to gain access to secured files |
US8204945B2 (en) | 2000-06-19 | 2012-06-19 | Stragent, Llc | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail |
US20120192262A1 (en) * | 2001-12-20 | 2012-07-26 | Mcafee, Inc., A Delaware Corporation | Network adapter firewall system and method |
US8266134B1 (en) * | 2000-04-06 | 2012-09-11 | Google Inc. | Distributed crawling of hyperlinked documents |
US8266674B2 (en) | 2001-12-12 | 2012-09-11 | Guardian Data Storage, Llc | Method and system for implementing changes to security policies in a distributed security system |
US8296320B1 (en) * | 2007-04-30 | 2012-10-23 | Network Appliance, Inc. | Method and system for storing clients' access permissions in a cache |
US8327138B2 (en) | 2003-09-30 | 2012-12-04 | Guardian Data Storage Llc | Method and system for securing digital assets using process-driven security policies |
US8332947B1 (en) | 2006-06-27 | 2012-12-11 | Symantec Corporation | Security threat reporting in light of local security tools |
USRE43906E1 (en) | 2001-12-12 | 2013-01-01 | Guardian Data Storage Llc | Method and apparatus for securing digital assets |
US8438159B1 (en) | 2003-06-25 | 2013-05-07 | Jericho Systems, Inc. | Method and system for selecting advertisements to be presented to a viewer |
US8543827B2 (en) | 2001-12-12 | 2013-09-24 | Intellectual Ventures I Llc | Methods and systems for providing access control to secured data |
US8549640B2 (en) | 1999-07-14 | 2013-10-01 | Symantec Corporation | System and method for computer security |
US8578490B2 (en) | 1999-08-30 | 2013-11-05 | Symantec Corporation | System and method for using timestamps to detect attacks |
US8627416B2 (en) | 2007-07-12 | 2014-01-07 | Wayport, Inc. | Device-specific authorization at distributed locations |
US8707034B1 (en) | 2003-05-30 | 2014-04-22 | Intellectual Ventures I Llc | Method and system for using remote headers to secure electronic files |
US8984644B2 (en) | 2003-07-01 | 2015-03-17 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9047109B1 (en) | 2012-06-20 | 2015-06-02 | Palo Alto Networks, Inc. | Policy enforcement in virtualized environment |
US9055098B2 (en) | 2001-12-20 | 2015-06-09 | Mcafee, Inc. | Embedded anti-virus scanner for a network adapter |
US9100431B2 (en) | 2003-07-01 | 2015-08-04 | Securityprofiling, Llc | Computer program product and apparatus for multi-path remediation |
US9118709B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9117069B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Real-time vulnerability monitoring |
US9118710B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | System, method, and computer program product for reporting an occurrence in different manners |
US9118708B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Multi-path remediation |
US9118711B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9237027B2 (en) * | 2012-03-21 | 2016-01-12 | Raytheon Bbn Technologies Corp. | Destination address control to limit unauthorized communications |
US9350752B2 (en) | 2003-07-01 | 2016-05-24 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9461964B2 (en) | 2011-09-27 | 2016-10-04 | Palo Alto Networks, Inc. | Dynamic address policy enforcement |
US9537891B1 (en) * | 2011-09-27 | 2017-01-03 | Palo Alto Networks, Inc. | Policy enforcement based on dynamically attribute-based matched network objects |
US20170300689A1 (en) * | 2016-04-14 | 2017-10-19 | Airwatch Llc | Anonymized application scanning for mobile devices |
US9805374B2 (en) | 2007-04-12 | 2017-10-31 | Microsoft Technology Licensing, Llc | Content preview |
US9917862B2 (en) * | 2016-04-14 | 2018-03-13 | Airwatch Llc | Integrated application scanning and mobile enterprise computing management system |
US10033700B2 (en) | 2001-12-12 | 2018-07-24 | Intellectual Ventures I Llc | Dynamic evaluation of access rights |
WO2018152303A1 (en) * | 2017-02-15 | 2018-08-23 | Edgewise Networks, Inc. | Network application security policy generation |
US10154067B2 (en) | 2017-02-10 | 2018-12-11 | Edgewise Networks, Inc. | Network application security policy enforcement |
US10348599B2 (en) | 2017-11-10 | 2019-07-09 | Edgewise Networks, Inc. | Automated load balancer discovery |
US10360545B2 (en) | 2001-12-12 | 2019-07-23 | Guardian Data Storage, Llc | Method and apparatus for accessing secured electronic data off-line |
US10439985B2 (en) | 2017-02-15 | 2019-10-08 | Edgewise Networks, Inc. | Network application security policy generation |
US11308109B2 (en) * | 2018-10-12 | 2022-04-19 | International Business Machines Corporation | Transfer between different combinations of source and destination nodes |
Citations (71)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3956615A (en) | 1974-06-25 | 1976-05-11 | Ibm Corporation | Transaction execution system with secure data storage and communications |
US4104721A (en) | 1976-12-30 | 1978-08-01 | International Business Machines Corporation | Hierarchical security mechanism for dynamically assigning security levels to object programs |
US4177510A (en) | 1973-11-30 | 1979-12-04 | Compagnie Internationale pour l'Informatique, CII Honeywell Bull | Protection of data in an information multiprocessing system by implementing a concept of rings to represent the different levels of privileges among processes |
US4442484A (en) | 1980-10-14 | 1984-04-10 | Intel Corporation | Microprocessor memory management and protection mechanism |
US4584639A (en) | 1983-12-23 | 1986-04-22 | Key Logic, Inc. | Computer security system |
US4621321A (en) | 1984-02-16 | 1986-11-04 | Honeywell Inc. | Secure data processing system architecture |
US4648031A (en) | 1982-06-21 | 1987-03-03 | International Business Machines Corporation | Method and apparatus for restarting a computing system |
US4710763A (en) * | 1984-10-19 | 1987-12-01 | Texas Instruments Incorporated | Method for generating and displaying tree structures in a limited display area |
US4713753A (en) | 1985-02-21 | 1987-12-15 | Honeywell Inc. | Secure data processing system architecture with format control |
US4870571A (en) | 1983-05-04 | 1989-09-26 | The Johns Hopkins University | Intercomputer communications based on message broadcasting with receiver selection |
US4885789A (en) | 1988-02-01 | 1989-12-05 | International Business Machines Corporation | Remote trusted path mechanism for telnet |
US4914568A (en) | 1986-10-24 | 1990-04-03 | National Instruments, Inc. | Graphical system for modelling a process and associated method |
US5093914A (en) | 1989-12-15 | 1992-03-03 | At&T Bell Laboratories | Method of controlling the execution of object-oriented programs |
US5124984A (en) | 1990-08-07 | 1992-06-23 | Concord Communications, Inc. | Access controller for local area network |
US5153918A (en) | 1990-11-19 | 1992-10-06 | Vorec Corporation | Security system for data communications |
US5204961A (en) * | 1990-06-25 | 1993-04-20 | Digital Equipment Corporation | Computer network operating with multilevel hierarchical security with selectable common trust realms and corresponding security protocols |
US5228083A (en) | 1991-06-28 | 1993-07-13 | Digital Equipment Corporation | Cryptographic processing in a communication network, using a single cryptographic engine |
EP0554182A1 (en) | 1992-01-28 | 1993-08-04 | Electricite De France | Method, apparatus and device for message cyphering between interconnected networks |
US5263147A (en) | 1991-03-01 | 1993-11-16 | Hughes Training, Inc. | System for providing high security for personal computers and workstations |
US5272754A (en) | 1991-03-28 | 1993-12-21 | Secure Computing Corporation | Secure computer interface |
US5276735A (en) | 1992-04-17 | 1994-01-04 | Secure Computing Corporation | Data enclave and trusted path system |
US5303303A (en) | 1990-07-18 | 1994-04-12 | Gpt Limited | Data communication system using encrypted data packets |
US5305385A (en) | 1991-10-15 | 1994-04-19 | Ungermann-Bass, Inc. | Network message security method and apparatus |
US5311593A (en) | 1992-05-13 | 1994-05-10 | Chipcom Corporation | Security system for a network concentrator |
US5315657A (en) * | 1990-09-28 | 1994-05-24 | Digital Equipment Corporation | Compound principals in access control lists |
US5329623A (en) | 1992-06-17 | 1994-07-12 | The Trustees Of The University Of Pennsylvania | Apparatus for providing cryptographic support in a network |
US5333266A (en) | 1992-03-27 | 1994-07-26 | International Business Machines Corporation | Method and apparatus for message handling in computer systems |
US5355474A (en) | 1991-09-27 | 1994-10-11 | Thuraisngham Bhavani M | System for multilevel secure database management using a knowledge base with release-based and other security constraints for query, response and update modification |
US5388189A (en) * | 1989-12-06 | 1995-02-07 | Racal-Datacom, Inc. | Alarm filter in an expert system for communications network |
US5414833A (en) | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
US5416842A (en) | 1994-06-10 | 1995-05-16 | Sun Microsystems, Inc. | Method and apparatus for key-management scheme for use with internet protocols at site firewalls |
GB2287619A (en) | 1994-03-03 | 1995-09-20 | Ibm | Security device for data communications networks |
US5455828A (en) | 1992-08-17 | 1995-10-03 | Zisapel; Yehuda | Carrier sensing multiple access/collision detection local area networks |
US5485460A (en) | 1994-08-19 | 1996-01-16 | Microsoft Corporation | System and method for running multiple incompatible network protocol stacks |
US5511122A (en) | 1994-06-03 | 1996-04-23 | The United States Of America As Represented By The Secretary Of The Navy | Intermediate network authentication |
WO1996013113A1 (en) | 1994-10-12 | 1996-05-02 | Secure Computing Corporation | System and method for providing secure internetwork services |
US5548646A (en) | 1994-09-15 | 1996-08-20 | Sun Microsystems, Inc. | System for signatureless transmission and reception of data packets between computer networks |
US5550984A (en) | 1994-12-07 | 1996-08-27 | Matsushita Electric Corporation Of America | Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information |
US5566170A (en) | 1994-12-29 | 1996-10-15 | Storage Technology Corporation | Method and apparatus for accelerated packet forwarding |
WO1996035994A1 (en) | 1995-05-08 | 1996-11-14 | Compuserve Incorporated | Rules based electronic message management system |
EP0743777A2 (en) | 1995-05-18 | 1996-11-20 | Sun Microsystems, Inc. | System for packet filtering of data packets at a computer network interface |
US5586260A (en) | 1993-02-12 | 1996-12-17 | Digital Equipment Corporation | Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms |
US5604490A (en) | 1994-09-09 | 1997-02-18 | International Business Machines Corporation | Method and system for providing a user access to multiple secured subsystems |
US5606668A (en) | 1993-12-15 | 1997-02-25 | Checkpoint Software Technologies Ltd. | System for securing inbound and outbound data packet flow in a computer network |
US5615340A (en) | 1994-07-21 | 1997-03-25 | Allied Telesyn Int'l Corp. | Network interfacing apparatus and method using repeater and cascade interface with scrambling |
US5619648A (en) | 1994-11-30 | 1997-04-08 | Lucent Technologies Inc. | Message filtering techniques |
WO1997013340A1 (en) | 1995-09-18 | 1997-04-10 | Digital Secured Networks Technology, Inc. | Network security device |
US5623601A (en) | 1994-11-18 | 1997-04-22 | Milkway Networks Corporation | Apparatus and method for providing a secure gateway for communication and data exchanges between networks |
US5636371A (en) | 1995-06-07 | 1997-06-03 | Bull Hn Information Systems Inc. | Virtual network mechanism to access well known port application programs running on a single host system |
US5644571A (en) | 1992-06-15 | 1997-07-01 | Digital Equipment Corporation | Apparatus for message filtering in a network using domain class |
WO1997026731A1 (en) | 1996-01-16 | 1997-07-24 | Raptor Systems, Inc. | Data encryption/decryption for network communication |
WO1997026734A1 (en) | 1996-01-16 | 1997-07-24 | Raptor Systems, Inc. | Transferring encrypted packets over a public network |
WO1997026735A1 (en) | 1996-01-16 | 1997-07-24 | Raptor Systems, Inc. | Key management for network communication |
WO1997029413A2 (en) | 1996-02-09 | 1997-08-14 | Secure Computing Corporation | System and method for achieving network separation |
US5671279A (en) | 1995-11-13 | 1997-09-23 | Netscape Communications Corporation | Electronic commerce using a secure courier system |
US5673322A (en) | 1996-03-22 | 1997-09-30 | Bell Communications Research, Inc. | System and method for providing protocol translation and filtering to access the world wide web from wireless or low-bandwidth networks |
US5684951A (en) | 1996-03-20 | 1997-11-04 | Synopsys, Inc. | Method and system for user authorization over a multi-user computer system |
US5689566A (en) | 1995-10-24 | 1997-11-18 | Nguyen; Minhtam C. | Network with secure communications sessions |
US5699513A (en) | 1995-03-31 | 1997-12-16 | Motorola, Inc. | Method for secure network access via message intercept |
US5706507A (en) | 1995-07-05 | 1998-01-06 | International Business Machines Corporation | System and method for controlling access to data located on a content server |
US5708780A (en) | 1995-06-07 | 1998-01-13 | Open Market, Inc. | Internet server access control and monitoring systems |
US5828893A (en) * | 1992-12-24 | 1998-10-27 | Motorola, Inc. | System and method of communicating between trusted and untrusted computer systems |
US5835758A (en) * | 1995-02-28 | 1998-11-10 | Vidya Technologies, Inc. | Method and system for respresenting and processing physical and conceptual entities |
US5859966A (en) * | 1995-10-10 | 1999-01-12 | Data General Corporation | Security system for computer systems |
US5907620A (en) * | 1996-08-23 | 1999-05-25 | Cheyenne Property Trust | Method and apparatus for enforcing the use of cryptography in an international cryptography framework |
US5987606A (en) * | 1997-03-19 | 1999-11-16 | Bascom Global Internet Services, Inc. | Method and system for content filtering information retrieved from an internet computer network |
US5991807A (en) * | 1996-06-24 | 1999-11-23 | Nortel Networks Corporation | System for controlling users access to a distributive network in accordance with constraints present in common access distributive network interface separate from a server |
US5991879A (en) * | 1997-10-23 | 1999-11-23 | Bull Hn Information Systems Inc. | Method for gradual deployment of user-access security within a data processing system |
US5996011A (en) * | 1997-03-25 | 1999-11-30 | Unified Research Laboratories, Inc. | System and method for filtering data received by a computer system |
US5996077A (en) * | 1997-06-16 | 1999-11-30 | Cylink Corporation | Access control system and method using hierarchical arrangement of security devices |
US6182226B1 (en) * | 1998-03-18 | 2001-01-30 | Secure Computing Corporation | System and method for controlling interactions between networks |
-
1998
- 1998-03-18 US US09/040,827 patent/US6453419B1/en not_active Expired - Lifetime
Patent Citations (73)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4177510A (en) | 1973-11-30 | 1979-12-04 | Compagnie Internationale pour l'Informatique, CII Honeywell Bull | Protection of data in an information multiprocessing system by implementing a concept of rings to represent the different levels of privileges among processes |
US3956615A (en) | 1974-06-25 | 1976-05-11 | Ibm Corporation | Transaction execution system with secure data storage and communications |
US4104721A (en) | 1976-12-30 | 1978-08-01 | International Business Machines Corporation | Hierarchical security mechanism for dynamically assigning security levels to object programs |
US4442484A (en) | 1980-10-14 | 1984-04-10 | Intel Corporation | Microprocessor memory management and protection mechanism |
US4648031A (en) | 1982-06-21 | 1987-03-03 | International Business Machines Corporation | Method and apparatus for restarting a computing system |
US4870571A (en) | 1983-05-04 | 1989-09-26 | The Johns Hopkins University | Intercomputer communications based on message broadcasting with receiver selection |
US4584639A (en) | 1983-12-23 | 1986-04-22 | Key Logic, Inc. | Computer security system |
US4621321A (en) | 1984-02-16 | 1986-11-04 | Honeywell Inc. | Secure data processing system architecture |
US4701840A (en) | 1984-02-16 | 1987-10-20 | Honeywell Inc. | Secure data processing system architecture |
US4710763A (en) * | 1984-10-19 | 1987-12-01 | Texas Instruments Incorporated | Method for generating and displaying tree structures in a limited display area |
US4713753A (en) | 1985-02-21 | 1987-12-15 | Honeywell Inc. | Secure data processing system architecture with format control |
US4914568A (en) | 1986-10-24 | 1990-04-03 | National Instruments, Inc. | Graphical system for modelling a process and associated method |
US4885789A (en) | 1988-02-01 | 1989-12-05 | International Business Machines Corporation | Remote trusted path mechanism for telnet |
US5388189A (en) * | 1989-12-06 | 1995-02-07 | Racal-Datacom, Inc. | Alarm filter in an expert system for communications network |
US5093914A (en) | 1989-12-15 | 1992-03-03 | At&T Bell Laboratories | Method of controlling the execution of object-oriented programs |
US5204961A (en) * | 1990-06-25 | 1993-04-20 | Digital Equipment Corporation | Computer network operating with multilevel hierarchical security with selectable common trust realms and corresponding security protocols |
US5303303A (en) | 1990-07-18 | 1994-04-12 | Gpt Limited | Data communication system using encrypted data packets |
US5124984A (en) | 1990-08-07 | 1992-06-23 | Concord Communications, Inc. | Access controller for local area network |
US5315657A (en) * | 1990-09-28 | 1994-05-24 | Digital Equipment Corporation | Compound principals in access control lists |
US5153918A (en) | 1990-11-19 | 1992-10-06 | Vorec Corporation | Security system for data communications |
US5263147A (en) | 1991-03-01 | 1993-11-16 | Hughes Training, Inc. | System for providing high security for personal computers and workstations |
US5272754A (en) | 1991-03-28 | 1993-12-21 | Secure Computing Corporation | Secure computer interface |
US5228083A (en) | 1991-06-28 | 1993-07-13 | Digital Equipment Corporation | Cryptographic processing in a communication network, using a single cryptographic engine |
US5355474A (en) | 1991-09-27 | 1994-10-11 | Thuraisngham Bhavani M | System for multilevel secure database management using a knowledge base with release-based and other security constraints for query, response and update modification |
US5305385A (en) | 1991-10-15 | 1994-04-19 | Ungermann-Bass, Inc. | Network message security method and apparatus |
US5583940A (en) | 1992-01-28 | 1996-12-10 | Electricite De France - Service National | Method, apparatus and device for enciphering messages transmitted between interconnected networks |
EP0554182A1 (en) | 1992-01-28 | 1993-08-04 | Electricite De France | Method, apparatus and device for message cyphering between interconnected networks |
US5333266A (en) | 1992-03-27 | 1994-07-26 | International Business Machines Corporation | Method and apparatus for message handling in computer systems |
US5276735A (en) | 1992-04-17 | 1994-01-04 | Secure Computing Corporation | Data enclave and trusted path system |
US5311593A (en) | 1992-05-13 | 1994-05-10 | Chipcom Corporation | Security system for a network concentrator |
US5644571A (en) | 1992-06-15 | 1997-07-01 | Digital Equipment Corporation | Apparatus for message filtering in a network using domain class |
US5329623A (en) | 1992-06-17 | 1994-07-12 | The Trustees Of The University Of Pennsylvania | Apparatus for providing cryptographic support in a network |
US5455828A (en) | 1992-08-17 | 1995-10-03 | Zisapel; Yehuda | Carrier sensing multiple access/collision detection local area networks |
US5828893A (en) * | 1992-12-24 | 1998-10-27 | Motorola, Inc. | System and method of communicating between trusted and untrusted computer systems |
US5586260A (en) | 1993-02-12 | 1996-12-17 | Digital Equipment Corporation | Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms |
US5414833A (en) | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
US5606668A (en) | 1993-12-15 | 1997-02-25 | Checkpoint Software Technologies Ltd. | System for securing inbound and outbound data packet flow in a computer network |
GB2287619A (en) | 1994-03-03 | 1995-09-20 | Ibm | Security device for data communications networks |
US5511122A (en) | 1994-06-03 | 1996-04-23 | The United States Of America As Represented By The Secretary Of The Navy | Intermediate network authentication |
US5416842A (en) | 1994-06-10 | 1995-05-16 | Sun Microsystems, Inc. | Method and apparatus for key-management scheme for use with internet protocols at site firewalls |
US5615340A (en) | 1994-07-21 | 1997-03-25 | Allied Telesyn Int'l Corp. | Network interfacing apparatus and method using repeater and cascade interface with scrambling |
US5485460A (en) | 1994-08-19 | 1996-01-16 | Microsoft Corporation | System and method for running multiple incompatible network protocol stacks |
US5604490A (en) | 1994-09-09 | 1997-02-18 | International Business Machines Corporation | Method and system for providing a user access to multiple secured subsystems |
US5548646A (en) | 1994-09-15 | 1996-08-20 | Sun Microsystems, Inc. | System for signatureless transmission and reception of data packets between computer networks |
WO1996013113A1 (en) | 1994-10-12 | 1996-05-02 | Secure Computing Corporation | System and method for providing secure internetwork services |
US5623601A (en) | 1994-11-18 | 1997-04-22 | Milkway Networks Corporation | Apparatus and method for providing a secure gateway for communication and data exchanges between networks |
US5619648A (en) | 1994-11-30 | 1997-04-08 | Lucent Technologies Inc. | Message filtering techniques |
US5550984A (en) | 1994-12-07 | 1996-08-27 | Matsushita Electric Corporation Of America | Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information |
US5566170A (en) | 1994-12-29 | 1996-10-15 | Storage Technology Corporation | Method and apparatus for accelerated packet forwarding |
US5835758A (en) * | 1995-02-28 | 1998-11-10 | Vidya Technologies, Inc. | Method and system for respresenting and processing physical and conceptual entities |
US5699513A (en) | 1995-03-31 | 1997-12-16 | Motorola, Inc. | Method for secure network access via message intercept |
WO1996035994A1 (en) | 1995-05-08 | 1996-11-14 | Compuserve Incorporated | Rules based electronic message management system |
EP0743777A2 (en) | 1995-05-18 | 1996-11-20 | Sun Microsystems, Inc. | System for packet filtering of data packets at a computer network interface |
US5636371A (en) | 1995-06-07 | 1997-06-03 | Bull Hn Information Systems Inc. | Virtual network mechanism to access well known port application programs running on a single host system |
US5708780A (en) | 1995-06-07 | 1998-01-13 | Open Market, Inc. | Internet server access control and monitoring systems |
US5706507A (en) | 1995-07-05 | 1998-01-06 | International Business Machines Corporation | System and method for controlling access to data located on a content server |
WO1997013340A1 (en) | 1995-09-18 | 1997-04-10 | Digital Secured Networks Technology, Inc. | Network security device |
US5859966A (en) * | 1995-10-10 | 1999-01-12 | Data General Corporation | Security system for computer systems |
US5689566A (en) | 1995-10-24 | 1997-11-18 | Nguyen; Minhtam C. | Network with secure communications sessions |
US5671279A (en) | 1995-11-13 | 1997-09-23 | Netscape Communications Corporation | Electronic commerce using a secure courier system |
WO1997026734A1 (en) | 1996-01-16 | 1997-07-24 | Raptor Systems, Inc. | Transferring encrypted packets over a public network |
WO1997026735A1 (en) | 1996-01-16 | 1997-07-24 | Raptor Systems, Inc. | Key management for network communication |
WO1997026731A1 (en) | 1996-01-16 | 1997-07-24 | Raptor Systems, Inc. | Data encryption/decryption for network communication |
WO1997029413A2 (en) | 1996-02-09 | 1997-08-14 | Secure Computing Corporation | System and method for achieving network separation |
US5684951A (en) | 1996-03-20 | 1997-11-04 | Synopsys, Inc. | Method and system for user authorization over a multi-user computer system |
US5673322A (en) | 1996-03-22 | 1997-09-30 | Bell Communications Research, Inc. | System and method for providing protocol translation and filtering to access the world wide web from wireless or low-bandwidth networks |
US5991807A (en) * | 1996-06-24 | 1999-11-23 | Nortel Networks Corporation | System for controlling users access to a distributive network in accordance with constraints present in common access distributive network interface separate from a server |
US5907620A (en) * | 1996-08-23 | 1999-05-25 | Cheyenne Property Trust | Method and apparatus for enforcing the use of cryptography in an international cryptography framework |
US5987606A (en) * | 1997-03-19 | 1999-11-16 | Bascom Global Internet Services, Inc. | Method and system for content filtering information retrieved from an internet computer network |
US5996011A (en) * | 1997-03-25 | 1999-11-30 | Unified Research Laboratories, Inc. | System and method for filtering data received by a computer system |
US5996077A (en) * | 1997-06-16 | 1999-11-30 | Cylink Corporation | Access control system and method using hierarchical arrangement of security devices |
US5991879A (en) * | 1997-10-23 | 1999-11-23 | Bull Hn Information Systems Inc. | Method for gradual deployment of user-access security within a data processing system |
US6182226B1 (en) * | 1998-03-18 | 2001-01-30 | Secure Computing Corporation | System and method for controlling interactions between networks |
Non-Patent Citations (59)
Title |
---|
"A general Purpose Proxy Filtering Mechanism Applied to the Mobile Environment", ACM Wireless Networks, vol. 5, 1999., pp. 391-409.* * |
"Answers to Frequently Asked Questions About Network Security", Secure Computing Corporation, pp. 1-41 & pp. 1-16 (Sep. 25, 1994). |
"Role-based Access Control with the Security Administration Manager (SAM)", ACM 1997 RBAC Conference, pp. 61-68.* * |
"Sidewinder Internals", Product information, Secure Computing Corporation, 16 p. (Oct. 1994). |
"Special Report: Secure Computing Corporation and Network Security", Computer Select, 13 p. (Dec. 1995). |
Adam, J.A., "Meta-Matrices", IEEE Spectrum, p. 26 (Oct. 1992). |
Adam, J.A., "Playing on the Net", IEEE Spectrum, p. 29 (Oct. 1992). |
Ancilotti, P., et al., "Language Features for Access Control", IEEE Transactions on Software Engineering, SE-9, 16-25 (Jan. 1983). |
Badger, L., et al., "Practical Domain and Type Enforcement for UNIX", Proceedings of the 1995 IEEE Symposium on Security and Privacy, pp. 66-77 (May 1995). |
Belkin, N.J., et al., "Information Filtering and Information Retrieval: Two Sides of the Same Coin?", Communications of the ACM, 35, 29-38 (Dec. 1992). |
Bellovin, S.M., et al., "Network Firewalls", IEEE Communications Magazine, 32, 50-57 (Sep. 1994). |
Bevier, W.R., et al., "Connection Policies and Controlled Interference", Proceedings of the Eighth IEEE Computer Security Foundations Workshop, Kenmare, Ireland, p. 167-176 (Jun. 13-15, 1995). |
Boebert, W.E., et al., "Secure Ada Target: Issues, System Design, and Verification", Proceedings of the Symposium on Security and Privacy, Oakland, California, pp. 59-66, (1985). |
Boebert, W.E., et al., "Secure Computing: The Secure Ada Target Approach", Sci. Honeyweller. 6(2), 17 pages, (1985). |
Bowen, T.F., et al., "The Datacycle Architecture", Communications of the ACM, 35, 71-81 (Dec. 1992). |
Bryan, J., "Firewalls For Sale", BYTE, 99-100, 102, 104-105 (Apr. 1995). |
Cobb, S., "Establishing Firewall Policy", IEEE, 198-205 (1996). |
Damashek, M., "Gauging Similarity with n-Grams: Language-Independent Categorization of Text", Science, 267, 843-848 (Feb. 10, 1995). |
Dillaway, B.B., et al., "A Practical Design For A Multilevel Secure Database Management System", American Institute of Aeronautics and Astronautics, Inc., pp. 44-57 (Dec. 1986). |
Fine, T., et al., "Assuring Distributed Trusted Mach", Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, pp. 206-218 (1993). |
Foltz, P.W., et al., "Personalized Information Delivery: An Analysis of Information Filtering Methods", Communications of the ACM, 35, 51-60 (Dec. 1992). |
Gassman, B., "Internet Security, and Firewalls Protection on the Internet", IEEE, 93-107 (1996). |
Goldberg, D., et al., "Using Collaborative Filtering to Weave an Information Tapestry", Communications of the ACM, 35, 61-70 (Dec. 1992). |
Grampp, F.T., "UNIX Operating System Security", AT&T Bell Laboratories Technical Journal, 63, 1649-1672 (Oct. 1984). |
Greenwald, M., et al., "Designing an Academic Firewall: Policy, Practice, and Experience with SURF", IEEE, 79-92 (1996). |
Haigh, J.T., et al., "Extending the Noninterference Version of MLS for SAT", Proceedings of the 1986 IEEE Symposium on Security and Privacy, Oakland, CA, pp. 232-239 (Apr. 7-9, 1986). |
International Search Report, PCT Application No. PCT/US 95/12681, 8 p. (mailed Apr. 9, 1996). |
Karn, P., et al., "The ESP DES-CBC Transform", Network Working Group, Request for Comment No. 1829, http//ds.internic.net/rfc/rfc1829.txt, 9 p. (Aug. 1995). |
Kent, S.T., "Internet Privacy Enhanced Mail", Communications of the ACM, 36, 48-60 (Aug. 1993). |
Lampson, B.W., et al., "Dynamic Protection Structures", AFIPS Conference Proceedings, 35, 1969 Fall Joint Computer Conference, Las Vegas, NV, 27-38 (Nov. 18-20, 1969). |
Lee, K.C., et al., "A Framework for Controlling Cooperative Agents", Computer, 8-16 (Jul. 1993). |
Lodin, S.W., et al., "Firewalls Fend Off Invasions from the Net", IEEE Spectrum, 26-34 (Feb. 1998). |
Loeb, S., "Architecting Personalized Delivery of Multimedia Information", Communications of the ACM, 35, 39-48 (1992). |
Loeb, S., et al., "Information Filtering", Communications of the ACM, 35, 26-28 (Dec. 1992). |
McCarthy, S.P., "Hey Hackers! Secure Computing Says You Can't Break into This Telnet Site", Computer Select, 2 p. (Dec. 1995). |
Merenbloom, P., "Network "Fire Walls' Safeguard LAN Data from Outside Intrusion", Infoworld, p. 69 & addnl. page (Jul. 25, 1994). |
Merenbloom, P., "Network ‘Fire Walls’ Safeguard LAN Data from Outside Intrusion", Infoworld, p. 69 & addnl. page (Jul. 25, 1994). |
Metzger, P., et al., "IP Authentication using Keyed MD5", Network Working Group, Request for Comments No. 1828, http//ds.internic.net/rfc/rfc1828.txt, 5 p. (Aug. 1995). |
News Release: "100% of Hackers Failed to Break Into One Internet Site Protected by Sidewinder(TM)", Secure Computing Corporation (Feb. 16, 1995). |
News Release: "Internet Security System Given "Product of the Year' Award", Secure Computing Corporation (Mar. 28, 1995). |
News Release: "SATAN No Threat to Sidewinder(TM)", Secure Computing Corporation (Apr. 26, 1995). |
News Release: "100% of Hackers Failed to Break Into One Internet Site Protected by Sidewinder™", Secure Computing Corporation (Feb. 16, 1995). |
News Release: "Internet Security System Given ‘Product of the Year’ Award", Secure Computing Corporation (Mar. 28, 1995). |
News Release: "SATAN No Threat to Sidewinder™", Secure Computing Corporation (Apr. 26, 1995). |
Obraczka, K., et al., "Internet Resource Discovery Services", Computer, 8-22 (Sep. 1993). |
Peterson, L.L., et al., In: Computer Networks, Morgan Kaufmann Publishers, Inc., San Francisco, CA, pp. 218-221, 284-286 (1996). |
Press, L., "The Net: Progress and Opportunity", Communications of the ACM, 35, 21-25 (Dec. 1992). |
Schroeder, M.D., et al., "A Hardware Architecture for Implementing Protection Rings", Communications of the ACM, 15, 157-170 (Mar. 1972). |
Schwartz, M.F., "Internet Resource Discovery at the University of Colorado", Computer, 25-35 (Sep. 1993). |
Smith, R.E., "Constructing a High Assurance Mail Guard", Secure Computing Corporation (Appeared in the Proceedings of the National Computer Security Conference), 7 p. (1994). |
Smith, R.E., "Sidewinder: Defense in Depth Using Type Enforcement", International Journal of Network Management, p. 219-229 (Jul.-Aug. 1995). |
Stadnyk, I., et al., "Modeling User's Interests in Information Filters", Communications of the ACM, 35, 49-50 (Dec. 1992). |
Stempel, S., "IpAccess-An Internet Service Access System for Firewall Installations", IEEE, 31-41 (1995). |
Stempel, S., "IpAccess—An Internet Service Access System for Firewall Installations", IEEE, 31-41 (1995). |
Stevens, C., "Automating the Creation of Information Filters", Communications of the ACM, 35, 48 (Dec. 1992). |
Thomsen, D., "Type Enforcement: The New Security Model", SPIE, 2617, 143-150 (1995). |
Warrier, U.S., et al., "A Platform for Heterogeneous Interconnection Network Management", IEEE Journal on Selected Areas in Communications, 8, 119-126 (Jan. 1990). |
White, L.J., et al., "A Firewall Concept for Both Control-Flow and Data-Flow in Regression Integration Testing", IEEE, 262-271 (1992). |
Wolfe, A., "Honeywell Builds Hardware for Computer Security", Electronics, 14-15 (Sep. 2, 1985). |
Cited By (237)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040230791A1 (en) * | 1994-10-12 | 2004-11-18 | Secure Computing Corporation. | System and method for providing secure internetwork services via an assured pipeline |
US20070226789A1 (en) * | 1994-10-12 | 2007-09-27 | Secure Computing Corporation | System and method for providing secure internetwork services via an assured pipeline |
US7730299B2 (en) | 1994-10-12 | 2010-06-01 | Secure Computing, Llc | System and method for providing secure internetwork services via an assured pipeline |
US7181613B2 (en) | 1994-10-12 | 2007-02-20 | Secure Computing Corporation | System and method for providing secure internetwork services via an assured pipeline |
US7383573B2 (en) | 1996-02-06 | 2008-06-03 | Graphon Corporation | Method for transparently managing outbound traffic from an internal user of a private network destined for a public network |
US20050229248A1 (en) * | 1996-02-06 | 2005-10-13 | Coley Christopher D | Method for transparently managing outbound traffic from an internal user of a private network destined for a public network |
US20050235359A1 (en) * | 1996-02-06 | 2005-10-20 | Coley Christopher D | Method for resisting a denial-of-service attack of a private network element |
US20050022030A1 (en) * | 1996-10-17 | 2005-01-27 | Wesinger Ralph E. | Virtual host for channel processing traffic traversing between a source and destination |
US20040158720A1 (en) * | 1999-02-09 | 2004-08-12 | Secure Computing Corporation | Security framework for supporting kernel-based hypervisors within a computing system |
US7263718B2 (en) * | 1999-02-09 | 2007-08-28 | Secure Computing Corporation | Security framework for supporting kernel-based hypervisors within a computing system |
US6910067B1 (en) * | 1999-05-06 | 2005-06-21 | Cisco Technology, Inc. | Virtual private data network session count limitation |
US6816901B1 (en) | 1999-05-06 | 2004-11-09 | Cisco Technology, Inc. | Proxy session count limitation |
US7493395B2 (en) | 1999-05-06 | 2009-02-17 | Cisco Technology, Inc. | Virtual private data network session count limitation |
US6857019B1 (en) | 1999-05-06 | 2005-02-15 | Cisco Technology, Inc. | Virtual private data network session count limitation |
US7854005B2 (en) | 1999-07-14 | 2010-12-14 | Symantec Corporation | System and method for generating fictitious content for a computer |
US8549640B2 (en) | 1999-07-14 | 2013-10-01 | Symantec Corporation | System and method for computer security |
US7827605B2 (en) | 1999-07-14 | 2010-11-02 | Symantec Corporation | System and method for preventing detection of a selected process running on a computer |
US7085936B1 (en) * | 1999-08-30 | 2006-08-01 | Symantec Corporation | System and method for using login correlations to detect intrusions |
US8578490B2 (en) | 1999-08-30 | 2013-11-05 | Symantec Corporation | System and method for using timestamps to detect attacks |
US7765581B1 (en) | 1999-12-10 | 2010-07-27 | Oracle America, Inc. | System and method for enabling scalable security in a virtual private network |
US7685309B2 (en) | 1999-12-10 | 2010-03-23 | Sun Microsystems, Inc. | System and method for separating addresses from the delivery scheme in a virtual private network |
US6977929B1 (en) | 1999-12-10 | 2005-12-20 | Sun Microsystems, Inc. | Method and system for facilitating relocation of devices on a network |
US7336790B1 (en) * | 1999-12-10 | 2008-02-26 | Sun Microsystems Inc. | Decoupling access control from key management in a network |
US20060077977A1 (en) * | 1999-12-10 | 2006-04-13 | Sun Microsystems, Inc. | System and method for separating addresses from the delivery scheme in a virtual private network |
US6938169B1 (en) | 1999-12-10 | 2005-08-30 | Sun Microsystems, Inc. | Channel-specific file system views in a private network using a public-network infrastructure |
US6970941B1 (en) | 1999-12-10 | 2005-11-29 | Sun Microsystems, Inc. | System and method for separating addresses from the delivery scheme in a virtual private network |
US7324514B1 (en) | 2000-01-14 | 2008-01-29 | Cisco Technology, Inc. | Implementing access control lists using a balanced hash table of access control list binary comparison trees |
US7016980B1 (en) * | 2000-01-18 | 2006-03-21 | Lucent Technologies Inc. | Method and apparatus for analyzing one or more firewalls |
US6654792B1 (en) * | 2000-02-28 | 2003-11-25 | 3Com Corporation | Method and architecture for logical aggregation of multiple servers |
US7299301B1 (en) | 2000-02-28 | 2007-11-20 | 3Com Corporation | Method and architecture for logical aggregation of multiple servers |
US6970814B1 (en) * | 2000-03-30 | 2005-11-29 | International Business Machines Corporation | Remote IP simulation modeling |
US6880005B1 (en) * | 2000-03-31 | 2005-04-12 | Intel Corporation | Managing policy rules in a network |
US7096495B1 (en) * | 2000-03-31 | 2006-08-22 | Intel Corporation | Network session management |
US8266134B1 (en) * | 2000-04-06 | 2012-09-11 | Google Inc. | Distributed crawling of hyperlinked documents |
US8812478B1 (en) * | 2000-04-06 | 2014-08-19 | Google Inc. | Distributed crawling of hyperlinked documents |
US20010042202A1 (en) * | 2000-04-14 | 2001-11-15 | Horvath Charles J. | Dynamically extendible firewall |
US7512965B1 (en) * | 2000-04-19 | 2009-03-31 | Hewlett-Packard Development Company, L.P. | Computer system security service |
US7263719B2 (en) * | 2000-05-15 | 2007-08-28 | Hewlett-Packard Development Company, L.P. | System and method for implementing network security policies on a common network infrastructure |
US7400591B2 (en) | 2000-05-15 | 2008-07-15 | Hewlett-Packard Development Company, L.P. | Method of creating an address and a discontiguous mask for a network security policy area |
US20010042213A1 (en) * | 2000-05-15 | 2001-11-15 | Brian Jemes | System and method for implementing network security policies on a common network infrastructure |
US20050232165A1 (en) * | 2000-05-15 | 2005-10-20 | Brawn John M | System and method of aggregating discontiguous address ranges into addresses and masks using a plurality of repeating address blocks |
US8272060B2 (en) | 2000-06-19 | 2012-09-18 | Stragent, Llc | Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses |
US8204945B2 (en) | 2000-06-19 | 2012-06-19 | Stragent, Llc | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail |
US6898717B1 (en) * | 2000-07-20 | 2005-05-24 | International Business Machines Corporation | Network domain with secured and unsecured servers |
US6826698B1 (en) * | 2000-09-15 | 2004-11-30 | Networks Associates Technology, Inc. | System, method and computer program product for rule based network security policies |
US7660902B2 (en) * | 2000-11-20 | 2010-02-09 | Rsa Security, Inc. | Dynamic file access control and management |
US20020178271A1 (en) * | 2000-11-20 | 2002-11-28 | Graham Todd D. | Dynamic file access control and management |
US20020078377A1 (en) * | 2000-12-15 | 2002-06-20 | Ching-Jye Chang | Method and apparatus in an application framework system for providing a port and network hardware resource firewall for distributed applications |
US7296292B2 (en) * | 2000-12-15 | 2007-11-13 | International Business Machines Corporation | Method and apparatus in an application framework system for providing a port and network hardware resource firewall for distributed applications |
US7269647B2 (en) | 2000-12-15 | 2007-09-11 | International Business Machines Corporation | Simplified network packet analyzer for distributed packet snooper |
US20020078231A1 (en) * | 2000-12-15 | 2002-06-20 | Ibm Corporation | Simplified network packet analyzer for distributed packet snooper |
US20060209836A1 (en) * | 2001-03-30 | 2006-09-21 | Juniper Networks, Inc. | Internet security system |
US9185075B2 (en) * | 2001-03-30 | 2015-11-10 | Juniper Networks, Inc. | Internet security system |
US20020154635A1 (en) * | 2001-04-23 | 2002-10-24 | Sun Microsystems, Inc. | System and method for extending private networks onto public infrastructure using supernets |
US20020173981A1 (en) * | 2001-05-18 | 2002-11-21 | Stewart Brett B. | Domain place registration system and method for registering for geographic based services |
US20020178365A1 (en) * | 2001-05-24 | 2002-11-28 | Shingo Yamaguchi | Method and system for controlling access to network resources based on connection security |
US20030018913A1 (en) * | 2001-06-20 | 2003-01-23 | Brezak John E. | Methods and systems for controlling the scope of delegation of authentication credentials |
US7698381B2 (en) | 2001-06-20 | 2010-04-13 | Microsoft Corporation | Methods and systems for controlling the scope of delegation of authentication credentials |
US20040167984A1 (en) * | 2001-07-06 | 2004-08-26 | Zone Labs, Inc. | System Providing Methodology for Access Control with Cooperative Enforcement |
US7590684B2 (en) | 2001-07-06 | 2009-09-15 | Check Point Software Technologies, Inc. | System providing methodology for access control with cooperative enforcement |
US7131141B1 (en) * | 2001-07-27 | 2006-10-31 | At&T Corp. | Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network |
US20030065947A1 (en) * | 2001-10-01 | 2003-04-03 | Yu Song | Secure sharing of personal devices among different users |
US7143443B2 (en) | 2001-10-01 | 2006-11-28 | Ntt Docomo, Inc. | Secure sharing of personal devices among different users |
US20060259765A1 (en) * | 2001-10-01 | 2006-11-16 | Yu Song | Secure sharing of personal devices among different users |
US7380282B2 (en) | 2001-10-01 | 2008-05-27 | Ntt Docomo, Inc. | Secure sharing of personal devices among different users |
US7577998B1 (en) * | 2001-11-16 | 2009-08-18 | Hewlett-Packard Development Company, L.P. | Method of detecting critical file changes |
US8341407B2 (en) | 2001-12-12 | 2012-12-25 | Guardian Data Storage, Llc | Method and system for protecting electronic data in enterprise environment |
US9542560B2 (en) | 2001-12-12 | 2017-01-10 | Intellectual Ventures I Llc | Methods and systems for providing access control to secured data |
US8065713B1 (en) | 2001-12-12 | 2011-11-22 | Klimenty Vainstein | System and method for providing multi-location access management to secured items |
US10769288B2 (en) | 2001-12-12 | 2020-09-08 | Intellectual Property Ventures I Llc | Methods and systems for providing access control to secured data |
US8006280B1 (en) | 2001-12-12 | 2011-08-23 | Hildebrand Hal S | Security system for generating keys from access rules in a decentralized manner and methods therefor |
USRE43906E1 (en) | 2001-12-12 | 2013-01-01 | Guardian Data Storage Llc | Method and apparatus for securing digital assets |
US7783765B2 (en) * | 2001-12-12 | 2010-08-24 | Hildebrand Hal S | System and method for providing distributed access control to secured documents |
US7930756B1 (en) | 2001-12-12 | 2011-04-19 | Crocker Steven Toye | Multi-level cryptographic transformations for securing digital assets |
US9129120B2 (en) | 2001-12-12 | 2015-09-08 | Intellectual Ventures I Llc | Methods and systems for providing access control to secured data |
US8543827B2 (en) | 2001-12-12 | 2013-09-24 | Intellectual Ventures I Llc | Methods and systems for providing access control to secured data |
US7921288B1 (en) | 2001-12-12 | 2011-04-05 | Hildebrand Hal S | System and method for providing different levels of key security for controlling access to secured items |
US8266674B2 (en) | 2001-12-12 | 2012-09-11 | Guardian Data Storage, Llc | Method and system for implementing changes to security policies in a distributed security system |
US7921284B1 (en) | 2001-12-12 | 2011-04-05 | Gary Mark Kinghorn | Method and system for protecting electronic data in enterprise environment |
US10360545B2 (en) | 2001-12-12 | 2019-07-23 | Guardian Data Storage, Llc | Method and apparatus for accessing secured electronic data off-line |
US8918839B2 (en) | 2001-12-12 | 2014-12-23 | Intellectual Ventures I Llc | System and method for providing multi-location access management to secured items |
US7913311B2 (en) | 2001-12-12 | 2011-03-22 | Rossmann Alain | Methods and systems for providing access control to electronic data |
US10229279B2 (en) | 2001-12-12 | 2019-03-12 | Intellectual Ventures I Llc | Methods and systems for providing access control to secured data |
US10033700B2 (en) | 2001-12-12 | 2018-07-24 | Intellectual Ventures I Llc | Dynamic evaluation of access rights |
US8341406B2 (en) | 2001-12-12 | 2012-12-25 | Guardian Data Storage, Llc | System and method for providing different levels of key security for controlling access to secured items |
US8627443B2 (en) * | 2001-12-20 | 2014-01-07 | Mcafee, Inc. | Network adapter firewall system and method |
US20120192262A1 (en) * | 2001-12-20 | 2012-07-26 | Mcafee, Inc., A Delaware Corporation | Network adapter firewall system and method |
US9876818B2 (en) | 2001-12-20 | 2018-01-23 | McAFEE, LLC. | Embedded anti-virus scanner for a network adapter |
US9055098B2 (en) | 2001-12-20 | 2015-06-09 | Mcafee, Inc. | Embedded anti-virus scanner for a network adapter |
US7950066B1 (en) | 2001-12-21 | 2011-05-24 | Guardian Data Storage, Llc | Method and system for restricting use of a clipboard application |
US8943316B2 (en) | 2002-02-12 | 2015-01-27 | Intellectual Ventures I Llc | Document security system that permits external users to gain access to secured files |
US20030163577A1 (en) * | 2002-02-23 | 2003-08-28 | Se-Woong Moon | Security system for accessing virtual private network service in communication network and method thereof |
US7546629B2 (en) | 2002-03-06 | 2009-06-09 | Check Point Software Technologies, Inc. | System and methodology for security policy arbitration |
US20030177389A1 (en) * | 2002-03-06 | 2003-09-18 | Zone Labs, Inc. | System and methodology for security policy arbitration |
US20030208596A1 (en) * | 2002-05-01 | 2003-11-06 | Carolan Jason T. | System and method for delivering services over a network in a secure environment |
US7856659B2 (en) | 2002-05-29 | 2010-12-21 | Wayport, Inc. | System and method for user access to a distributed network communication system using persistent identification of subscribers |
US20030233332A1 (en) * | 2002-05-29 | 2003-12-18 | Keeler James D. | System and method for user access to a distributed network communication system using persistent identification of subscribers |
US20030233580A1 (en) * | 2002-05-29 | 2003-12-18 | Keeler James D. | Authorization and authentication of user access to a distributed network communication system with roaming features |
US20100138909A1 (en) * | 2002-09-06 | 2010-06-03 | O2Micro, Inc. | Vpn and firewall integrated system |
GB2397204B (en) * | 2002-09-06 | 2005-03-30 | O2Micro Inc | VPN and firewall integrated system |
WO2004023307A1 (en) * | 2002-09-06 | 2004-03-18 | O2Micro, Inc. | Vpn and firewall integrated system |
GB2407464B (en) * | 2002-09-06 | 2005-12-14 | O2Micro Inc | VPN and firewall integrated system |
US20060174336A1 (en) * | 2002-09-06 | 2006-08-03 | Jyshyang Chen | VPN and firewall integrated system |
GB2397204A (en) * | 2002-09-06 | 2004-07-14 | O2Micro Inc | VPN and firewall integrated system |
GB2407464A (en) * | 2002-09-06 | 2005-04-27 | O2Micro Inc | VPN and firewall integrated system |
US7596806B2 (en) | 2002-09-06 | 2009-09-29 | O2Micro International Limited | VPN and firewall integrated system |
US20040054887A1 (en) * | 2002-09-12 | 2004-03-18 | International Business Machines Corporation | Method and system for selective email acceptance via encoded email identifiers |
US7913079B2 (en) | 2002-09-12 | 2011-03-22 | International Business Machines Corporation | Method and system for selective email acceptance via encoded email identifiers |
US7363490B2 (en) * | 2002-09-12 | 2008-04-22 | International Business Machines Corporation | Method and system for selective email acceptance via encoded email identifiers |
US20040054696A1 (en) * | 2002-09-13 | 2004-03-18 | Sheinis Joseph Igor | System and method for using proxies |
US7665125B2 (en) | 2002-09-23 | 2010-02-16 | Heard Robert W | System and method for distribution of security policies for mobile devices |
US20060190984A1 (en) * | 2002-09-23 | 2006-08-24 | Credant Technologies, Inc. | Gatekeeper architecture/features to support security policy maintenance and distribution |
US20060147043A1 (en) * | 2002-09-23 | 2006-07-06 | Credant Technologies, Inc. | Server, computer memory, and method to support security policy maintenance and distribution |
US20060242685A1 (en) * | 2002-09-23 | 2006-10-26 | Credant Technologies, Inc. | System and method for distribution of security policies for mobile devices |
US20060236363A1 (en) * | 2002-09-23 | 2006-10-19 | Credant Technologies, Inc. | Client architecture for portable device with security policies |
US7665118B2 (en) | 2002-09-23 | 2010-02-16 | Credant Technologies, Inc. | Server, computer memory, and method to support security policy maintenance and distribution |
US8176334B2 (en) | 2002-09-30 | 2012-05-08 | Guardian Data Storage, Llc | Document security system that permits external users to gain access to secured files |
USRE47443E1 (en) | 2002-09-30 | 2019-06-18 | Intellectual Ventures I Llc | Document security system that permits external users to gain access to secured files |
WO2004036426A1 (en) * | 2002-10-15 | 2004-04-29 | America Online, Incorporated | Web service security filter |
US20040073811A1 (en) * | 2002-10-15 | 2004-04-15 | Aleksey Sanin | Web service security filter |
US6850943B2 (en) | 2002-10-18 | 2005-02-01 | Check Point Software Technologies, Inc. | Security system and methodology for providing indirect access control |
US20040078591A1 (en) * | 2002-10-18 | 2004-04-22 | Zone Labs, Inc. | Security System And Methodology For Providing Indirect Access Control |
US20040107360A1 (en) * | 2002-12-02 | 2004-06-03 | Zone Labs, Inc. | System and Methodology for Policy Enforcement |
WO2004054198A3 (en) * | 2002-12-02 | 2004-07-22 | Arkoon Network Security | Access method and device for securing access to information systems |
US20050125697A1 (en) * | 2002-12-27 | 2005-06-09 | Fujitsu Limited | Device for checking firewall policy |
US20100161967A1 (en) * | 2003-01-09 | 2010-06-24 | Jericho Systems Corporation | Method and system for dynamically implementing an enterprise resource policy |
US9438559B1 (en) | 2003-01-09 | 2016-09-06 | Jericho Systems Corporation | System for managing access to protected resources |
US8560836B2 (en) | 2003-01-09 | 2013-10-15 | Jericho Systems Corporation | Method and system for dynamically implementing an enterprise resource policy |
US9432404B1 (en) | 2003-01-09 | 2016-08-30 | Jericho Systems Corporation | System for managing access to protected resources |
US10652745B2 (en) | 2003-02-28 | 2020-05-12 | Apple Inc. | System and method for filtering access points presented to a user and locking onto an access point |
US9237514B2 (en) * | 2003-02-28 | 2016-01-12 | Apple Inc. | System and method for filtering access points presented to a user and locking onto an access point |
US20060094400A1 (en) * | 2003-02-28 | 2006-05-04 | Brent Beachem | System and method for filtering access points presented to a user and locking onto an access point |
US7428413B2 (en) | 2003-03-11 | 2008-09-23 | Wayport, Inc. | Method and system for providing network access and services using access codes |
US20040181602A1 (en) * | 2003-03-11 | 2004-09-16 | Fink Ian M. | Method and system for providing network access and services using access codes |
US20050021683A1 (en) * | 2003-03-27 | 2005-01-27 | Chris Newton | Method and apparatus for correlating network activity through visualizing network data |
US8201256B2 (en) * | 2003-03-28 | 2012-06-12 | Trustwave Holdings, Inc. | Methods and systems for assessing and advising on electronic compliance |
US20040193907A1 (en) * | 2003-03-28 | 2004-09-30 | Joseph Patanella | Methods and systems for assessing and advising on electronic compliance |
US20040199763A1 (en) * | 2003-04-01 | 2004-10-07 | Zone Labs, Inc. | Security System with Methodology for Interprocess Communication Control |
US8136155B2 (en) | 2003-04-01 | 2012-03-13 | Check Point Software Technologies, Inc. | Security system with methodology for interprocess communication control |
US7366919B1 (en) * | 2003-04-25 | 2008-04-29 | Symantec Corporation | Use of geo-location data for spam detection |
US7739494B1 (en) | 2003-04-25 | 2010-06-15 | Symantec Corporation | SSL validation and stripping using trustworthiness factors |
US20040255167A1 (en) * | 2003-04-28 | 2004-12-16 | Knight James Michael | Method and system for remote network security management |
WO2004097584A3 (en) * | 2003-04-28 | 2005-04-07 | P G I Solutions Llc | Method and system for remote network security management |
WO2004097584A2 (en) * | 2003-04-28 | 2004-11-11 | P.G.I. Solutions Llc | Method and system for remote network security management |
US8108916B2 (en) | 2003-05-21 | 2012-01-31 | Wayport, Inc. | User fraud detection and prevention of access to a distributed network communication system |
US20040236702A1 (en) * | 2003-05-21 | 2004-11-25 | Fink Ian M. | User fraud detection and prevention of access to a distributed network communication system |
US8707034B1 (en) | 2003-05-30 | 2014-04-22 | Intellectual Ventures I Llc | Method and system for using remote headers to secure electronic files |
US8745046B2 (en) | 2003-06-25 | 2014-06-03 | Jericho Systems Corporation | Method and system for selecting content items to be presented to a viewer |
US8438159B1 (en) | 2003-06-25 | 2013-05-07 | Jericho Systems, Inc. | Method and system for selecting advertisements to be presented to a viewer |
US9118711B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9350752B2 (en) | 2003-07-01 | 2016-05-24 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9118709B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9117069B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Real-time vulnerability monitoring |
US9100431B2 (en) | 2003-07-01 | 2015-08-04 | Securityprofiling, Llc | Computer program product and apparatus for multi-path remediation |
US10154055B2 (en) | 2003-07-01 | 2018-12-11 | Securityprofiling, Llc | Real-time vulnerability monitoring |
US10104110B2 (en) | 2003-07-01 | 2018-10-16 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9118708B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Multi-path remediation |
US9118710B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | System, method, and computer program product for reporting an occurrence in different manners |
US9225686B2 (en) | 2003-07-01 | 2015-12-29 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US8984644B2 (en) | 2003-07-01 | 2015-03-17 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US10021124B2 (en) | 2003-07-01 | 2018-07-10 | Securityprofiling, Llc | Computer program product and apparatus for multi-path remediation |
US10050988B2 (en) | 2003-07-01 | 2018-08-14 | Securityprofiling, Llc | Computer program product and apparatus for multi-path remediation |
US20050005145A1 (en) * | 2003-07-02 | 2005-01-06 | Zone Labs, Inc. | System and Methodology Providing Information Lockbox |
US7788726B2 (en) | 2003-07-02 | 2010-08-31 | Check Point Software Technologies, Inc. | System and methodology providing information lockbox |
KR101101085B1 (en) | 2003-07-30 | 2011-12-30 | 마이크로소프트 코포레이션 | Zoned based security administration for data items |
US8452847B2 (en) * | 2003-09-22 | 2013-05-28 | Broadcom Corporation | Processor sharing between in-range devices |
US20050066229A1 (en) * | 2003-09-22 | 2005-03-24 | Jeyhan Karaoguz | Processor sharing between in-range devices |
US9270738B2 (en) | 2003-09-22 | 2016-02-23 | Broadcom Corporation | Processor sharing between in-range devices |
US8327138B2 (en) | 2003-09-30 | 2012-12-04 | Guardian Data Storage Llc | Method and system for securing digital assets using process-driven security policies |
US8739302B2 (en) | 2003-09-30 | 2014-05-27 | Intellectual Ventures I Llc | Method and apparatus for transitioning between states of security policies used to secure electronic documents |
US8127366B2 (en) | 2003-09-30 | 2012-02-28 | Guardian Data Storage, Llc | Method and apparatus for transitioning between states of security policies used to secure electronic documents |
US20080097858A1 (en) * | 2004-05-21 | 2008-04-24 | Vucina David J | System, method and program product for delivery of digital content offerings at a retail establishment |
US20050261970A1 (en) * | 2004-05-21 | 2005-11-24 | Wayport, Inc. | Method for providing wireless services |
US10291417B2 (en) | 2004-05-21 | 2019-05-14 | Wayport, Inc. | System, method and program product for delivery of digital content offerings at a retail establishment |
US20050273841A1 (en) * | 2004-06-07 | 2005-12-08 | Check Point Software Technologies, Inc. | System and Methodology for Protecting New Computers by Applying a Preconfigured Security Update Policy |
US7540013B2 (en) | 2004-06-07 | 2009-05-26 | Check Point Software Technologies, Inc. | System and methodology for protecting new computers by applying a preconfigured security update policy |
US20050283441A1 (en) * | 2004-06-21 | 2005-12-22 | Ipolicy Networks, Inc., A Delaware Corporation | Efficient policy change management in virtual private networks |
US7739501B2 (en) | 2004-07-29 | 2010-06-15 | Infoassure, Inc. | Cryptographic key construct |
US7715565B2 (en) | 2004-07-29 | 2010-05-11 | Infoassure, Inc. | Information-centric security |
US20060050870A1 (en) * | 2004-07-29 | 2006-03-09 | Kimmel Gerald D | Information-centric security |
US7711120B2 (en) | 2004-07-29 | 2010-05-04 | Infoassure, Inc. | Cryptographic key management |
US20060064469A1 (en) * | 2004-09-23 | 2006-03-23 | Cisco Technology, Inc. | System and method for URL filtering in a firewall |
US7640590B1 (en) | 2004-12-21 | 2009-12-29 | Symantec Corporation | Presentation of network source and executable characteristics |
US20060136390A1 (en) * | 2004-12-22 | 2006-06-22 | International Business Machines Corporation | Method and system for matching of complex nested objects by multilevel hashing |
US7613701B2 (en) * | 2004-12-22 | 2009-11-03 | International Business Machines Corporation | Matching of complex nested objects by multilevel hashing |
US20060288116A1 (en) * | 2005-05-31 | 2006-12-21 | Brother Kogyo Kabushiki Kaisha | Management System, and Communication Device and Data Processing Device Used in Such System |
WO2006137057A3 (en) * | 2005-06-21 | 2007-08-02 | Onigma Ltd | A method and a system for providing comprehensive protection against leakage of sensitive information assets using host based agents, content- meta-data and rules-based policies |
WO2006137057A2 (en) * | 2005-06-21 | 2006-12-28 | Onigma Ltd. | A method and a system for providing comprehensive protection against leakage of sensitive information assets using host based agents, content- meta-data and rules-based policies |
US8056124B2 (en) * | 2005-07-15 | 2011-11-08 | Microsoft Corporation | Automatically generating rules for connection security |
US20070016945A1 (en) * | 2005-07-15 | 2007-01-18 | Microsoft Corporation | Automatically generating rules for connection security |
US8490153B2 (en) | 2005-07-15 | 2013-07-16 | Microsoft Corporation | Automatically generating rules for connection security |
US7647623B2 (en) * | 2005-10-17 | 2010-01-12 | Alcatel Lucent | Application layer ingress filtering |
US20070086338A1 (en) * | 2005-10-17 | 2007-04-19 | Alcatel | Application layer ingress filtering |
US8332947B1 (en) | 2006-06-27 | 2012-12-11 | Symantec Corporation | Security threat reporting in light of local security tools |
US20080109890A1 (en) * | 2006-11-03 | 2008-05-08 | Microsoft Corporation | Selective auto-revocation of firewall security settings |
US8214889B2 (en) | 2006-11-03 | 2012-07-03 | Microsoft Corporation | Selective auto-revocation of firewall security settings |
US7962358B1 (en) * | 2006-11-06 | 2011-06-14 | Sprint Communications Company L.P. | Integrated project and staffing management |
US7861031B2 (en) | 2007-03-01 | 2010-12-28 | Hewlett-Packard Development Company, L.P. | Access control management |
US20080212222A1 (en) * | 2007-03-01 | 2008-09-04 | Stan Feather | Access control management |
US8024514B2 (en) * | 2007-03-01 | 2011-09-20 | Hewlett-Packard Development Company, L.P. | Access control management |
US20080256646A1 (en) * | 2007-04-12 | 2008-10-16 | Microsoft Corporation | Managing Digital Rights in a Member-Based Domain Architecture |
US11257099B2 (en) | 2007-04-12 | 2022-02-22 | Microsoft Technology Licensing, Llc | Content preview |
US20080256592A1 (en) * | 2007-04-12 | 2008-10-16 | Microsoft Corporation | Managing Digital Rights for Multiple Assets in an Envelope |
US9805374B2 (en) | 2007-04-12 | 2017-10-31 | Microsoft Technology Licensing, Llc | Content preview |
US8539543B2 (en) * | 2007-04-12 | 2013-09-17 | Microsoft Corporation | Managing digital rights for multiple assets in an envelope |
US8296320B1 (en) * | 2007-04-30 | 2012-10-23 | Network Appliance, Inc. | Method and system for storing clients' access permissions in a cache |
US10320806B2 (en) | 2007-07-12 | 2019-06-11 | Wayport, Inc. | Device-specific authorization at distributed locations |
US8925047B2 (en) | 2007-07-12 | 2014-12-30 | Wayport, Inc. | Device-specific authorization at distributed locations |
US8627416B2 (en) | 2007-07-12 | 2014-01-07 | Wayport, Inc. | Device-specific authorization at distributed locations |
US20090077245A1 (en) * | 2007-08-16 | 2009-03-19 | Vladimir Smelyansky | Client-To-Client Direct RTP Exchange In A Managed Client-Server Network |
US7996543B2 (en) * | 2007-08-16 | 2011-08-09 | Xcastlabs | Client-to-client direct RTP exchange in a managed client-server network |
US20090125599A1 (en) * | 2007-11-12 | 2009-05-14 | Ricoh Company, Ltd. | Multifunctional input/output device |
US8051137B2 (en) * | 2007-11-12 | 2011-11-01 | Ricoh Company, Ltd. | Multifunctional input/output device |
WO2009148647A2 (en) * | 2008-04-01 | 2009-12-10 | Microsoft Corporation | Centralized enforcement of name-based computer system security rules |
US7930760B2 (en) | 2008-04-01 | 2011-04-19 | Microsoft Corporation | Centralized enforcement of name-based computer system security rules |
US20090249436A1 (en) * | 2008-04-01 | 2009-10-01 | Microsoft Corporation | Centralized Enforcement of Name-Based Computer System Security Rules |
WO2009148647A3 (en) * | 2008-04-01 | 2010-02-25 | Microsoft Corporation | Centralized enforcement of name-based computer system security rules |
US20100054128A1 (en) * | 2008-08-29 | 2010-03-04 | O'hern William | Near Real-Time Alerting of IP Traffic Flow to Subscribers |
US20100138910A1 (en) * | 2008-12-03 | 2010-06-03 | Check Point Software Technologies, Ltd. | Methods for encrypted-traffic url filtering using address-mapping interception |
CN101610264B (en) * | 2009-07-24 | 2011-12-07 | 深圳市永达电子股份有限公司 | Firewall system, safety service platform and firewall system management method |
US9485218B2 (en) | 2010-03-23 | 2016-11-01 | Adventium Enterprises, Llc | Device for preventing, detecting and responding to security threats |
US20110238979A1 (en) * | 2010-03-23 | 2011-09-29 | Adventium Labs | Device for Preventing, Detecting and Responding to Security Threats |
US9537891B1 (en) * | 2011-09-27 | 2017-01-03 | Palo Alto Networks, Inc. | Policy enforcement based on dynamically attribute-based matched network objects |
US9461964B2 (en) | 2011-09-27 | 2016-10-04 | Palo Alto Networks, Inc. | Dynamic address policy enforcement |
US10348765B2 (en) | 2011-09-27 | 2019-07-09 | Palo Alto Networks, Inc. | Policy enforcement based on dynamically attribute-based matched network objects |
US9237027B2 (en) * | 2012-03-21 | 2016-01-12 | Raytheon Bbn Technologies Corp. | Destination address control to limit unauthorized communications |
US9619260B2 (en) | 2012-06-20 | 2017-04-11 | Palo Alto Networks, Inc. | Policy enforcement in a virtualized environment |
US9047109B1 (en) | 2012-06-20 | 2015-06-02 | Palo Alto Networks, Inc. | Policy enforcement in virtualized environment |
US9917862B2 (en) * | 2016-04-14 | 2018-03-13 | Airwatch Llc | Integrated application scanning and mobile enterprise computing management system |
US9916446B2 (en) * | 2016-04-14 | 2018-03-13 | Airwatch Llc | Anonymized application scanning for mobile devices |
US10354068B2 (en) * | 2016-04-14 | 2019-07-16 | Airwatch, Llc | Anonymized application scanning for mobile devices |
US20170300689A1 (en) * | 2016-04-14 | 2017-10-19 | Airwatch Llc | Anonymized application scanning for mobile devices |
US10154067B2 (en) | 2017-02-10 | 2018-12-11 | Edgewise Networks, Inc. | Network application security policy enforcement |
US10439985B2 (en) | 2017-02-15 | 2019-10-08 | Edgewise Networks, Inc. | Network application security policy generation |
WO2018152303A1 (en) * | 2017-02-15 | 2018-08-23 | Edgewise Networks, Inc. | Network application security policy generation |
US10348599B2 (en) | 2017-11-10 | 2019-07-09 | Edgewise Networks, Inc. | Automated load balancer discovery |
US11308109B2 (en) * | 2018-10-12 | 2022-04-19 | International Business Machines Corporation | Transfer between different combinations of source and destination nodes |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6453419B1 (en) | System and method for implementing a security policy | |
US6182226B1 (en) | System and method for controlling interactions between networks | |
US9154489B2 (en) | Query interface to policy server | |
US7912856B2 (en) | Adaptive encryption | |
US7580919B1 (en) | Query interface to policy server | |
US8136143B2 (en) | Generalized policy server | |
US7272625B1 (en) | Generalized policy server | |
KR101213806B1 (en) | Securing lightweight directory access protocol traffic | |
USRE46439E1 (en) | Distributed administration of access to information and interface for same | |
US6321336B1 (en) | System and method for redirecting network traffic to provide secure communication | |
US6178505B1 (en) | Secure delivery of information in a network | |
US7406534B2 (en) | Firewall configuration validation | |
US8701177B2 (en) | Method and apparatus for graphical presentation of firewall security policy | |
AU733109B2 (en) | Methods and apparatus for controlling access to information | |
US7844563B2 (en) | System and method for applying rule sets and rule interactions | |
EP1062785A2 (en) | System and method for controlling interactions between networks | |
WO2000000879A2 (en) | Generalized policy server | |
WO2000079434A1 (en) | Query interface to policy server | |
Cisco | Glossary | |
Cisco | Glossary | |
AU762061B2 (en) | Generalized policy server | |
Maw | Administrative domain security gateway for file transfer |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: SECURE COMPUTING CORPORATION, MINNESOTA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:FLINT, ANDREW;REID. IRVING;AMDUR, GENE;REEL/FRAME:009294/0131 Effective date: 19980418 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
CC | Certificate of correction | ||
FPAY | Fee payment |
Year of fee payment: 4 |
|
AS | Assignment |
Owner name: CITICORP USA, INC. AS ADMINISTRATIVE AGENT,NEW YOR Free format text: SECURITY AGREEMENT;ASSIGNORS:SECURE COMPUTING CORPORATION;CIPHERTRUST, INC.;REEL/FRAME:018247/0359 Effective date: 20060831 Owner name: CITICORP USA, INC. AS ADMINISTRATIVE AGENT, NEW YO Free format text: SECURITY AGREEMENT;ASSIGNORS:SECURE COMPUTING CORPORATION;CIPHERTRUST, INC.;REEL/FRAME:018247/0359 Effective date: 20060831 |
|
AS | Assignment |
Owner name: SECURE COMPUTING CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CITICORP USA, INC.;REEL/FRAME:021523/0713 Effective date: 20080904 |
|
FEPP | Fee payment procedure |
Free format text: PAT HOLDER NO LONGER CLAIMS SMALL ENTITY STATUS, ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: STOL); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
FPAY | Fee payment |
Year of fee payment: 8 |
|
AS | Assignment |
Owner name: SECURE COMPUTING, LLC,CALIFORNIA Free format text: CHANGE OF NAME;ASSIGNOR:SECURE COMPUTING CORPORATION;REEL/FRAME:024128/0806 Effective date: 20081120 Owner name: SECURE COMPUTING, LLC, CALIFORNIA Free format text: CHANGE OF NAME;ASSIGNOR:SECURE COMPUTING CORPORATION;REEL/FRAME:024128/0806 Effective date: 20081120 |
|
AS | Assignment |
Owner name: MCAFEE, INC.,CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SECURE COMPUTING, LLC;REEL/FRAME:024456/0724 Effective date: 20100524 Owner name: MCAFEE, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SECURE COMPUTING, LLC;REEL/FRAME:024456/0724 Effective date: 20100524 |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
FPAY | Fee payment |
Year of fee payment: 12 |
|
AS | Assignment |
Owner name: MCAFEE, LLC, CALIFORNIA Free format text: CHANGE OF NAME AND ENTITY CONVERSION;ASSIGNOR:MCAFEE, INC.;REEL/FRAME:043665/0918 Effective date: 20161220 |
|
AS | Assignment |
Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045055/0786 Effective date: 20170929 Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045056/0676 Effective date: 20170929 |
|
AS | Assignment |
Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:054206/0593 Effective date: 20170929 Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:055854/0047 Effective date: 20170929 |
|
AS | Assignment |
Owner name: MCAFEE, LLC, CALIFORNIA Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045055/0786;ASSIGNOR:JPMORGAN CHASE BANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:054238/0001 Effective date: 20201026 |
|
AS | Assignment |
Owner name: MCAFEE, LLC, CALIFORNIA Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045056/0676;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT;REEL/FRAME:059354/0213 Effective date: 20220301 |
|
AS | Assignment |
Owner name: SECURE COMPUTING CORPORATION, CALIFORNIA Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE PROPERTY NUMBERS PREVIOUSLY RECORDED AT REEL: 021523 FRAME: 0713. ASSIGNOR(S) HEREBY CONFIRMS THE RELEASE OF PATENT SECURITY AGREEMENT;ASSIGNOR:CITICORP USA, INC.;REEL/FRAME:059690/0187 Effective date: 20080904 |